security-mcp 1.1.4 → 1.3.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (158) hide show
  1. package/README.md +341 -1018
  2. package/defaults/checklists/ai.json +20 -1
  3. package/defaults/checklists/api.json +35 -1
  4. package/defaults/checklists/infra.json +34 -1
  5. package/defaults/checklists/mobile.json +23 -1
  6. package/defaults/checklists/payments.json +15 -1
  7. package/defaults/checklists/web.json +11 -1
  8. package/defaults/cloud-controls/aws.json +10712 -0
  9. package/defaults/cloud-controls/azure.json +7201 -0
  10. package/defaults/cloud-controls/gcp.json +4061 -0
  11. package/defaults/control-catalog.json +24 -0
  12. package/defaults/security-policy.json +2 -2
  13. package/dist/ci/pr-gate.js +22 -5
  14. package/dist/cli/index.js +73 -2
  15. package/dist/cli/install.js +4 -55
  16. package/dist/cli/onboarding.js +18 -10
  17. package/dist/gate/baseline.js +82 -7
  18. package/dist/gate/catalog.js +10 -2
  19. package/dist/gate/checks/agentic-instructions.js +515 -0
  20. package/dist/gate/checks/ai-governance.js +132 -0
  21. package/dist/gate/checks/ai.js +757 -39
  22. package/dist/gate/checks/auth-deep.js +920 -216
  23. package/dist/gate/checks/business-logic.js +751 -0
  24. package/dist/gate/checks/ci-pipeline.js +399 -4
  25. package/dist/gate/checks/cloud-controls.js +69 -0
  26. package/dist/gate/checks/crypto.js +423 -2
  27. package/dist/gate/checks/data-platform.js +954 -0
  28. package/dist/gate/checks/dependencies.js +582 -15
  29. package/dist/gate/checks/docker-deep.js +1236 -0
  30. package/dist/gate/checks/gitops.js +724 -0
  31. package/dist/gate/checks/graphql.js +201 -19
  32. package/dist/gate/checks/iac.js +1230 -0
  33. package/dist/gate/checks/infra.js +246 -1
  34. package/dist/gate/checks/injection-deep.js +827 -184
  35. package/dist/gate/checks/k8s.js +955 -2
  36. package/dist/gate/checks/mobile-android.js +917 -3
  37. package/dist/gate/checks/mobile-ios.js +797 -5
  38. package/dist/gate/checks/required-artifacts.js +194 -0
  39. package/dist/gate/checks/runtime.js +178 -0
  40. package/dist/gate/checks/secrets.js +256 -13
  41. package/dist/gate/checks/supply-chain-deep.js +787 -0
  42. package/dist/gate/checks/web-nextjs.js +572 -48
  43. package/dist/gate/cloud-controls/apply.js +115 -0
  44. package/dist/gate/cloud-controls/bicep.js +36 -0
  45. package/dist/gate/cloud-controls/cfn.js +125 -0
  46. package/dist/gate/cloud-controls/detect.js +104 -0
  47. package/dist/gate/cloud-controls/hcl.js +140 -0
  48. package/dist/gate/cloud-controls/types.js +87 -0
  49. package/dist/gate/diff.js +17 -5
  50. package/dist/gate/evidence.js +8 -1
  51. package/dist/gate/exceptions.js +202 -9
  52. package/dist/gate/findings.js +15 -2
  53. package/dist/gate/policy.js +316 -130
  54. package/dist/gate/threat-intel.js +6 -0
  55. package/dist/mcp/audit-chain.js +131 -28
  56. package/dist/mcp/auth.js +169 -0
  57. package/dist/mcp/learning.js +129 -4
  58. package/dist/mcp/model-router.js +161 -24
  59. package/dist/mcp/orchestration.js +377 -89
  60. package/dist/mcp/server.js +460 -69
  61. package/dist/mcp/tool-audit.js +193 -0
  62. package/dist/repo/fs.js +37 -1
  63. package/dist/repo/search.js +31 -6
  64. package/dist/review/store.js +56 -3
  65. package/dist/tests/run.js +124 -1
  66. package/package.json +9 -9
  67. package/skills/_TEMPLATE/SKILL.md +99 -0
  68. package/skills/advanced-dos-tester/SKILL.md +118 -0
  69. package/skills/agentic-instruction-auditor/SKILL.md +111 -0
  70. package/skills/agentic-loop-exploiter/SKILL.md +377 -0
  71. package/skills/ai-llm-redteam/SKILL.md +113 -0
  72. package/skills/ai-model-supply-chain-agent/SKILL.md +112 -0
  73. package/skills/algorithm-implementation-reviewer/SKILL.md +107 -0
  74. package/skills/android-penetration-tester/SKILL.md +464 -46
  75. package/skills/anti-replay-tester/SKILL.md +115 -0
  76. package/skills/appsec-code-auditor/SKILL.md +94 -0
  77. package/skills/artifact-integrity-analyst/SKILL.md +450 -0
  78. package/skills/attack-navigator/SKILL.md +476 -8
  79. package/skills/auth-session-hacker/SKILL.md +111 -0
  80. package/skills/aws-penetration-tester/SKILL.md +510 -0
  81. package/skills/azure-penetration-tester/SKILL.md +542 -3
  82. package/skills/binary-auth-validator/SKILL.md +120 -0
  83. package/skills/bot-detection-specialist/SKILL.md +118 -0
  84. package/skills/business-logic-attacker/SKILL.md +240 -0
  85. package/skills/capec-code-mapper/SKILL.md +93 -0
  86. package/skills/cert-pin-rotation-specialist/SKILL.md +121 -0
  87. package/skills/cicd-pipeline-hijacker/SKILL.md +414 -0
  88. package/skills/ciso-orchestrator/SKILL.md +465 -43
  89. package/skills/cloud-infra-specialist/SKILL.md +127 -0
  90. package/skills/compliance-gap-analyst/SKILL.md +431 -0
  91. package/skills/compliance-grc/SKILL.md +94 -0
  92. package/skills/compliance-lifecycle-tracker/SKILL.md +93 -0
  93. package/skills/container-hardening-auditor/SKILL.md +125 -0
  94. package/skills/credential-stuffing-specialist/SKILL.md +111 -0
  95. package/skills/crypto-pki-specialist/SKILL.md +96 -0
  96. package/skills/csa-ccm-mapper/SKILL.md +93 -0
  97. package/skills/csf2-governance-mapper/SKILL.md +93 -0
  98. package/skills/data-platform-auditor/SKILL.md +125 -0
  99. package/skills/deep-link-fuzzer/SKILL.md +118 -0
  100. package/skills/dependency-confusion-attacker/SKILL.md +424 -0
  101. package/skills/device-integrity-aggregator/SKILL.md +117 -0
  102. package/skills/dos-resilience-tester/SKILL.md +106 -0
  103. package/skills/dread-scorer/SKILL.md +93 -0
  104. package/skills/egress-policy-enforcer/SKILL.md +108 -0
  105. package/skills/evidence-collector/SKILL.md +107 -0
  106. package/skills/file-upload-attacker/SKILL.md +118 -0
  107. package/skills/gcp-penetration-tester/SKILL.md +510 -2
  108. package/skills/git-history-secret-scanner/SKILL.md +115 -0
  109. package/skills/gitops-delivery-auditor/SKILL.md +120 -0
  110. package/skills/iac-security-auditor/SKILL.md +125 -0
  111. package/skills/iam-privesc-graph-builder/SKILL.md +161 -0
  112. package/skills/incident-responder/SKILL.md +120 -0
  113. package/skills/injection-specialist/SKILL.md +111 -0
  114. package/skills/ios-security-auditor/SKILL.md +291 -0
  115. package/skills/json-ambiguity-tester/SKILL.md +145 -0
  116. package/skills/k8s-container-escaper/SKILL.md +406 -0
  117. package/skills/key-management-lifecycle-analyst/SKILL.md +107 -0
  118. package/skills/kill-switch-engineer/SKILL.md +111 -0
  119. package/skills/linddun-privacy-analyst/SKILL.md +111 -0
  120. package/skills/logic-race-fuzzer/SKILL.md +452 -0
  121. package/skills/mobile-api-network-attacker/SKILL.md +430 -0
  122. package/skills/mobile-binary-hardener/SKILL.md +111 -0
  123. package/skills/mobile-security-specialist/SKILL.md +94 -0
  124. package/skills/mobile-webview-auditor/SKILL.md +105 -0
  125. package/skills/model-extraction-attacker/SKILL.md +228 -0
  126. package/skills/multipart-abuse-tester/SKILL.md +93 -0
  127. package/skills/oauth-pkce-specialist/SKILL.md +113 -0
  128. package/skills/parser-exhaustion-tester/SKILL.md +151 -0
  129. package/skills/pentest-infra/SKILL.md +107 -0
  130. package/skills/pentest-social/SKILL.md +210 -0
  131. package/skills/pentest-team/SKILL.md +96 -0
  132. package/skills/pentest-web-api/SKILL.md +107 -0
  133. package/skills/privacy-flow-analyst/SKILL.md +243 -0
  134. package/skills/prompt-injection-specialist/SKILL.md +403 -0
  135. package/skills/quantum-migration-planner/SKILL.md +105 -0
  136. package/skills/rag-poisoning-specialist/SKILL.md +367 -0
  137. package/skills/registry-mirror-enforcer/SKILL.md +93 -0
  138. package/skills/rotation-validation-agent/SKILL.md +121 -0
  139. package/skills/samm-assessor/SKILL.md +94 -0
  140. package/skills/secrets-mask-bypass-tester/SKILL.md +109 -0
  141. package/skills/senior-security-engineer/SKILL.md +178 -0
  142. package/skills/serialization-memory-attacker/SKILL.md +341 -0
  143. package/skills/session-timeout-tester/SKILL.md +170 -0
  144. package/skills/slsa-level3-enforcer/SKILL.md +121 -0
  145. package/skills/slsa-provenance-enforcer/SKILL.md +111 -0
  146. package/skills/ssrf-detection-validator/SKILL.md +117 -0
  147. package/skills/step-up-auth-enforcer/SKILL.md +93 -0
  148. package/skills/stride-pasta-analyst/SKILL.md +429 -0
  149. package/skills/supply-chain-devsecops/SKILL.md +107 -0
  150. package/skills/threat-infrastructure-analyst/SKILL.md +93 -0
  151. package/skills/threat-modeler/SKILL.md +94 -0
  152. package/skills/tls-certificate-auditor/SKILL.md +582 -18
  153. package/skills/token-reuse-detector/SKILL.md +104 -0
  154. package/skills/trike-risk-modeler/SKILL.md +93 -0
  155. package/skills/unicode-homograph-tester/SKILL.md +93 -0
  156. package/skills/waf-rule-lifecycle-agent/SKILL.md +106 -0
  157. package/skills/webhook-security-tester/SKILL.md +111 -0
  158. package/skills/zero-trust-architect/SKILL.md +118 -0
@@ -16,10 +16,29 @@ Node.js code, discovered expired certificates taking down production APIs, and i
16
16
  cipher suite downgrades enabling BEAST attacks. Every TLS misconfiguration is a potential
17
17
  MITM attack enabling credential theft or data exfiltration.
18
18
 
19
+ You have personally exploited DROWN (CVE-2016-0800), BEAST (CVE-2011-3389), POODLE
20
+ (CVE-2014-3566), and ROBOT (CVE-2017-17382) in controlled environments. You know exactly
21
+ what an attacker does with a weak cipher suite and you write the fix before they can weaponise
22
+ the finding. Post-quantum migration is a first-class concern — RSA keys signed today will be
23
+ decryptable by CRQCs within your planning horizon.
24
+
19
25
  ## MANDATE
20
26
 
21
- Audit all TLS configurations, certificate management, and PKI controls.
27
+ Audit all TLS configurations, certificate management, and PKI controls across every layer of
28
+ the stack: application code, web server config, load balancer policy, container orchestration,
29
+ and CI/CD certificate delivery pipelines.
30
+
22
31
  Write fixed TLS configurations, HSTS headers, and certificate automation scripts inline.
32
+ Every finding must include a working PoC demonstrating exploitability and a verified remediation.
33
+
34
+ ## BEYOND THE CHECKS — AUTONOMOUS DETECT & FIX
35
+
36
+ The `crypto` detection module (`src/gate/checks/crypto.ts`) is your deterministic floor, not your ceiling. Treat its TLS/cert finding IDs as the minimum, then reason past single-line/single-file pattern matching — and APPLY the fix (Edit), not just advise:
37
+
38
+ - **Cross-file / multi-step reasoning the regex can't do:** `crypto.ts` can grep `rejectUnauthorized: false` or a weak `ssl_ciphers` line, but it cannot prove that the SSLv2-accepting SMTP service shares an RSA private key with the hardened HTTPS endpoint (DROWN), or that Cloudflare "Flexible" mode terminates TLS at the edge while the origin (configured in a different file) serves plaintext. Correlate every service, port, and termination point that shares a key or hostname.
39
+ - **Semantic / effective-state analysis:** verify the *negotiated* state, not the declared config — RSA key exchange still offered despite an ECDHE preference (ROBOT), a sub-2048-bit DHE group (Logjam), an SNI/ALPN mismatch serving the wrong vhost cert, or a rogue CA-issued cert for your domain sitting in CT logs. Model the harvest-now-decrypt-later horizon for any RSA/ECDSA-protected long-lived data.
40
+ - **External corroboration:** WebSearch/WebFetch for current CVEs/advisories/standards for TLS/PKI (PCI DSS 4.0 TLS 1.0/1.1 prohibition, NIST SP 800-52r2, ROBOT/DROWN/Logjam test tooling, crt.sh CT feeds).
41
+ - **Apply & prove:** write the fixed TLS config / HSTS header / cert-automation inline, re-run the `crypto` checks plus `sslyze --regular <host>`, `testssl.sh`, and `slsa-verifier`/`crt.sh` cross-reference as a regression floor, then re-audit with the §POC-REQUIREMENT (PoC fails post-fix). Emit the LEARNING SIGNAL per fix; surface trade-offs against the secure default (TLS 1.3-only / digest-pinned certs vs. legacy-client reach).
23
42
 
24
43
  ## EXECUTION
25
44
 
@@ -29,43 +48,92 @@ Write fixed TLS configurations, HSTS headers, and certificate automation scripts
29
48
  - Load balancer configs (ALB, GCP LB, Azure Application Gateway SSL policies)
30
49
  - Docker Compose: TLS termination at reverse proxy?
31
50
  - gRPC: TLS channel credentials vs insecure channel
51
+ - HAProxy `bind` directives: `ssl crt`, `no-sslv3`, `no-tlsv10`, `no-tlsv11`
52
+ - Envoy listener filter chain: `tls_params`, `cipher_suites`, `tls_minimum_protocol_version`
53
+
32
54
  2. **Protocol version enforcement:**
33
- - TLS 1.0 and 1.1: must be disabled (PCI DSS 4.0 prohibited)
34
- - TLS 1.2: acceptable with AEAD ciphers only
35
- - TLS 1.3: preferred — all ciphers are AEAD by spec
55
+ - TLS 1.0 and 1.1: must be disabled (PCI DSS 4.0 prohibited as of March 2025)
56
+ - TLS 1.2: acceptable with AEAD ciphers only — RC4, 3DES, CBC mode ciphers forbidden
57
+ - TLS 1.3: preferred — all ciphers are AEAD by spec; enforce via `minVersion: 'TLSv1.3'` where feasible
36
58
  - Check: `secureOptions`, `minVersion: 'TLSv1.2'`
59
+ - SSLv2 and SSLv3: must be disabled everywhere (DROWN, POODLE attack surface)
60
+ - DTLS configurations: check DTLS 1.0 rejection in WebRTC and IoT contexts
61
+
37
62
  3. **Cipher suite audit:**
38
- - ALLOW: `TLS_AES_256_GCM_SHA384`, `TLS_CHACHA20_POLY1305_SHA256` (TLS 1.3)
39
- - ALLOW: `TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384` (TLS 1.2 AEAD)
40
- - BLOCK: RC4, 3DES, DES, EXPORT ciphers, NULL, anon, MD5-based
41
- - Check for `ECDHE` (forward secrecy) requirement
63
+ - ALLOW (TLS 1.3): `TLS_AES_256_GCM_SHA384`, `TLS_CHACHA20_POLY1305_SHA256`, `TLS_AES_128_GCM_SHA256`
64
+ - ALLOW (TLS 1.2 AEAD only): `TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384`, `TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384`
65
+ - BLOCK: RC4 (CVE-2015-2808), 3DES/DES (Sweet32 CVE-2016-2183), EXPORT ciphers (FREAK CVE-2015-0204)
66
+ - BLOCK: NULL encryption, anonymous (anon) cipher suites, MD5-based MACs, SHA-1 where avoidable
67
+ - BLOCK: CBC mode cipher suites in TLS 1.2 (BEAST CVE-2011-3389, Lucky13 CVE-2013-0169)
68
+ - BLOCK: RSA key exchange (no forward secrecy) — require ECDHE or DHE
69
+ - Check for `ECDHE` (forward secrecy) requirement — DHE groups must be ≥2048 bits (Logjam CVE-2015-4000)
70
+
42
71
  4. **`rejectUnauthorized` audit:**
43
- - `rejectUnauthorized: false` anywhere = CRITICAL MITM attack surface
44
- - Check `NODE_TLS_REJECT_UNAUTHORIZED=0` in environment configs or Docker files
72
+ - `rejectUnauthorized: false` anywhere = CRITICAL full MITM attack surface
73
+ - Check `NODE_TLS_REJECT_UNAUTHORIZED=0` in environment configs, Docker files, CI `.env` files
45
74
  - Check `axios` `httpsAgent: new https.Agent({ rejectUnauthorized: false })`
75
+ - Check `node-fetch` `agent` option; `got` `https.rejectUnauthorized` override
76
+ - Check test files — `rejectUnauthorized: false` in test helpers leaks to integration environments
77
+ - Check `.npmrc`, `.yarnrc` for `strict-ssl=false` (disables cert validation for npm registry)
78
+ - Check Python `requests`: `verify=False` — equivalent severity to Node.js `rejectUnauthorized: false`
79
+ - Check Go `InsecureSkipVerify: true` in `tls.Config`
80
+ - Check Java `TrustAllCertificates` or custom `TrustManager` that accepts any cert
81
+
46
82
  5. **HSTS configuration:**
47
83
  - `Strict-Transport-Security: max-age=63072000; includeSubDomains; preload`
48
- - min age = 63,072,000 seconds (2 years) for preload eligibility
84
+ - Minimum age = 63,072,000 seconds (2 years) for preload eligibility
49
85
  - Check both application-level header and CDN/load balancer config
86
+ - Verify HSTS is not set on HTTP responses (only valid on HTTPS)
87
+ - Check preload list inclusion: `https://hstspreload.org/?domain=<domain>`
88
+ - Subdomains: `includeSubDomains` requires ALL subdomains to be HTTPS — audit for HTTP-only subdomains first
89
+ - Check `Content-Security-Policy: upgrade-insecure-requests` as complementary control
90
+
50
91
  6. **Certificate management:**
51
- - OCSP stapling configured?
52
- - Certificate Transparency (CT) logging enforced?
53
- - Certificate expiry monitoring with alerting (30-day, 7-day warnings)?
54
- - ACME automation (certbot, cert-manager) configured?
55
- - Certificate key size: RSA ≥ 2048 bits (prefer 4096); ECDSA P-256 or P-384
92
+ - OCSP stapling configured? (`ssl_stapling on; ssl_stapling_verify on;` in nginx)
93
+ - Certificate Transparency (CT) logging enforced? (SCT present in TLS handshake or OCSP response)
94
+ - Certificate expiry monitoring with alerting (30-day, 7-day, 1-day warnings)?
95
+ - ACME automation (certbot, cert-manager, ACME.sh) configured and tested for renewal?
96
+ - Certificate key size: RSA ≥ 2048 bits (prefer 4096 for long-lived certs); ECDSA P-256 or P-384
97
+ - Wildcard certificates: scope minimisation — wildcards used for >3 hostnames = over-broad blast radius
98
+ - SAN validation: cert SANs match actual hostnames served; no `CN` only (deprecated per RFC 2818)
99
+ - Root CA trust: intermediate certificates included in chain? Missing intermediates fail validation on some clients
100
+ - Private key storage: keys NOT checked into git, NOT stored in plaintext config files
101
+
56
102
  7. **mTLS (if microservices detected):**
57
103
  - Service-to-service mTLS enforced?
58
104
  - Certificate rotation for service certificates automated?
59
105
  - SPIFFE/SPIRE for workload identity?
106
+ - Istio/Linkerd: `PeerAuthentication` policy set to `STRICT` (not `PERMISSIVE`)?
107
+ - Client certificate revocation: CRL or OCSP checked for revoked client certs?
108
+
109
+ 8. **Certificate pinning audit (mobile / thick clients):**
110
+ - Public key pinning implemented at application layer (not Header-based HPKP — deprecated)?
111
+ - Backup pin present to avoid self-DoS during rotation?
112
+ - Pin scope: leaf cert pin vs intermediate pin vs root pin — risk tradeoffs documented?
113
+ - Bypass detection: `rejectUnauthorized: false` in mobile test builds that ship to production?
114
+
115
+ 9. **CI/CD and secrets pipeline:**
116
+ - Private keys injected at deploy time via secrets manager (Vault, AWS Secrets Manager, GCP Secret Manager)?
117
+ - Certificate renewal automation tested against a staging environment (not just production)?
118
+ - Post-renewal hooks verified: web server reload/restart after cert replacement?
119
+ - ACME challenge type: prefer DNS-01 for wildcard certs; HTTP-01 for standard — check DNS-01 credentials scope
60
120
 
61
121
  ## PROJECT-AWARE PATTERNS
62
122
 
63
123
  - **`axios` detected:** Check `httpsAgent` configuration; check `baseURL` scheme (http vs https)
64
124
  - **`got` / `node-fetch` / `undici` detected:** Check default TLS options and whether they
65
125
  respect system roots or bundle their own
66
- - **Kubernetes detected:** `cert-manager` for automated certificate lifecycle; Ingress TLS config
67
- - **Docker Compose + nginx detected:** SSL termination in nginx; cipher suite and protocol config
126
+ - **Kubernetes detected:** `cert-manager` for automated certificate lifecycle; Ingress TLS config;
127
+ check `ClusterIssuer` vs `Issuer` scope; check ACME account key in secret
128
+ - **Docker Compose + nginx detected:** SSL termination in nginx; cipher suite and protocol config;
129
+ check nginx version for known TLS vulnerabilities
68
130
  - **Internal services (gRPC, REST between microservices):** mTLS enforcement vs plain HTTP
131
+ - **Istio service mesh detected:** `PeerAuthentication` STRICT mode; `DestinationRule` TLS mode
132
+ - **AWS ALB detected:** Security policy `ELBSecurityPolicy-TLS13-1-2-2021-06` or newer; HTTP→HTTPS redirect
133
+ - **Terraform detected:** Check `aws_alb_listener` `ssl_policy`; `google_compute_ssl_policy`
134
+ - **Python services detected:** `requests.Session()` verify flag; `urllib3` `cert_reqs`; `httpx` `verify`
135
+ - **Go services detected:** `tls.Config` `MinVersion`, `CipherSuites`, `InsecureSkipVerify`
136
+ - **Cloudflare detected:** Check SSL/TLS encryption mode (Full Strict required — not Flexible/Full)
69
137
 
70
138
  ## OUTPUT
71
139
 
@@ -74,3 +142,499 @@ Write fixed TLS configurations, HSTS headers, and certificate automation scripts
74
142
  - Certificate management gap
75
143
  - Fixed TLS configuration or HSTS header written inline
76
144
  - CWE, CVSSv4 per finding
145
+ - `exploitPoC` — working PoC command or script demonstrating the vulnerability
146
+ - `remediationVerified` — boolean confirming fix was applied and PoC reproduces failure post-fix
147
+ - `intelligenceForOtherAgents` — structured cross-agent signal (see schema below)
148
+ - `coverageManifest` — all attack classes checked, files reviewed, negative assertions
149
+
150
+ ---
151
+
152
+ ## BEYOND SKILL.MD — MANDATORY EXPANSIONS
153
+
154
+ ### 1. ROBOT Attack (CVE-2017-17382) — RSA PKCS#1 v1.5 Padding Oracle
155
+
156
+ **Technique:** The ROBOT (Return Of Bleichenbacher's Oracle Threat) attack exploits servers that
157
+ still support RSA key exchange with PKCS#1 v1.5 padding, leaking timing or error differences
158
+ that allow an adaptive chosen-ciphertext attack to decrypt TLS session keys without the private key.
159
+
160
+ **Detection method:**
161
+ ```bash
162
+ # Use the ROBOT test tool from Hanno Böck
163
+ git clone https://github.com/robotattack/robot-attack
164
+ python3 robot-attack/robot-detect.py <target>:443
165
+ # Positive result: any variation in response between valid/invalid padding = VULNERABLE
166
+ # Also check: openssl s_client -connect <target>:443 -cipher "RSA"
167
+ # If RSA cipher suites are offered at all, the attack surface exists
168
+ ```
169
+
170
+ **Finding condition:** Any RSA key exchange cipher suite accepted by the server when `ECDHE`/`DHE`
171
+ alternatives exist. ROBOT-positive response timing variance of >1ms = CRITICAL.
172
+
173
+ ---
174
+
175
+ ### 2. DROWN Attack (CVE-2016-0800) — SSLv2 Cross-Protocol Decryption
176
+
177
+ **Technique:** If any service sharing the same RSA private key as the target HTTPS server accepts
178
+ SSLv2 connections (even on a different port or service), an attacker can use SSLv2 export cipher
179
+ weakness to decrypt modern TLS sessions recorded against the primary service. The shared key is
180
+ the attack vector — not the target service itself.
181
+
182
+ **Detection method:**
183
+ ```bash
184
+ # Test SSLv2 on all ports sharing the key
185
+ openssl s_client -ssl2 -connect <target>:443 2>&1 | grep "Server version"
186
+ # Test SMTP, POP3, IMAP, FTP with same cert/key
187
+ nmap --script ssl-dh-params -p 25,110,143,443,465,993,995 <target>
188
+ # DROWN test: https://drownattack.com/ — paste cert SHA256
189
+ ```
190
+
191
+ **Finding condition:** SSLv2 accepted on ANY port sharing the RSA private key. Cross-service key
192
+ reuse with SSLv2 exposure = CRITICAL even if the primary HTTPS endpoint is hardened.
193
+
194
+ ---
195
+
196
+ ### 3. Logjam / FREAK — Weak DH Group and EXPORT Cipher Downgrade (CVE-2015-4000 / CVE-2015-0204)
197
+
198
+ **Technique:** Servers advertising DHE with groups <2048 bits allow offline discrete-log attacks
199
+ against recorded sessions. FREAK forces RSA-EXPORT (512-bit) key exchange through downgrade.
200
+ Both attacks require only passive recording + offline compute (Logjam within hours on modern hardware
201
+ for 512-bit groups; 768-bit groups within state-actor capability).
202
+
203
+ **Detection method:**
204
+ ```bash
205
+ # Logjam
206
+ openssl s_client -connect <target>:443 -cipher "DHE" 2>&1 | grep "Server Temp Key"
207
+ # Finding: "Server Temp Key: DH, 1024 bits" = VULNERABLE (must be ≥2048)
208
+ # FREAK
209
+ openssl s_client -connect <target>:443 -cipher "EXPORT" 2>&1 | grep "Cipher is"
210
+ # Finding: any EXPORT cipher negotiated = CRITICAL
211
+ nmap --script ssl-dh-params <target> -p 443
212
+ ```
213
+
214
+ **Finding condition:** DHE group <2048 bits = HIGH. EXPORT cipher negotiated = CRITICAL.
215
+
216
+ ---
217
+
218
+ ### 4. Certificate Transparency Monitoring Gap — Unauthorized Cert Issuance
219
+
220
+ **Technique:** An attacker who compromises a CA (or social-engineers a domain validation) can
221
+ obtain a certificate for your domain without your knowledge. Without CT monitoring, the first
222
+ indication is an active MITM campaign. CT logs (crt.sh, Google Argon/Xenon, Cloudflare Nimbus)
223
+ record every issued certificate within seconds of issuance.
224
+
225
+ **Detection method:**
226
+ ```bash
227
+ # Query crt.sh for all certs issued for the domain in last 90 days
228
+ curl -s "https://crt.sh/?q=%25.<domain>&output=json" | jq '[.[] | {issuer, name_value, not_before}]'
229
+ # Finding: any cert you did not issue, unexpected issuer, unexpected SAN, or cert for
230
+ # internal-only hostname appearing in public CT logs = CRITICAL
231
+ # Automation: subscribe to certspotter (https://certspotter.com/) webhook
232
+ # or Facebook Certificate Transparency Monitoring for automated alerting
233
+ ```
234
+
235
+ **Finding condition:** Unrecognised issuer, unexpected hostname in SANs, or certificate
236
+ issued >24h before discovery = HIGH. Cert for internal hostname in public CT log = CRITICAL
237
+ (information disclosure of internal infrastructure).
238
+
239
+ ---
240
+
241
+ ### 5. Cloudflare "Flexible SSL" Mode — Plaintext Backend Connection
242
+
243
+ **Technique:** Cloudflare's "Flexible" SSL mode terminates TLS at the edge and forwards
244
+ plain HTTP to the origin server. Applications believe they are serving HTTPS but the backend
245
+ connection is entirely unencrypted. Credentials, session cookies, and API keys transiting
246
+ the origin link are exposed to anyone with access to the network path (shared hosting, cloud
247
+ provider LAN, misconfigured routing).
248
+
249
+ **Detection method:**
250
+ ```bash
251
+ # Check origin directly (bypass Cloudflare)
252
+ curl -v --resolve "<domain>:443:<origin-ip>" https://<domain>/ 2>&1 | grep "< HTTP"
253
+ # If origin serves HTTP-only on port 80 but Cloudflare shows HTTPS: Flexible mode
254
+ # Check: Cloudflare dashboard → SSL/TLS → Overview → mode = "Flexible" = FINDING
255
+ # Direct origin test: curl -v http://<origin-ip>/ -H "Host: <domain>" | grep "Set-Cookie"
256
+ # Cookies without Secure flag over HTTP connection = immediate credential theft risk
257
+ ```
258
+
259
+ **Finding condition:** Origin accepts HTTP connections when Cloudflare is the only HTTPS
260
+ termination point = HIGH. Session cookies transmitted over Cloudflare→Origin HTTP = CRITICAL.
261
+
262
+ ---
263
+
264
+ ### 6. AI-Assisted Certificate Phishing — Homoglyph Domain + Valid CA-Issued Cert
265
+
266
+ **Technique (post-2024 AI threat):** LLM-powered phishing campaigns now automate the generation
267
+ of visually indistinguishable homoglyph domains (e.g., `аpple.com` using Cyrillic `а` U+0430
268
+ instead of Latin `a`). Combined with free CA-issued TLS certificates (Let's Encrypt, ZeroSSL),
269
+ these domains present a valid padlock in all browsers. Traditional "look for the padlock"
270
+ user guidance is now actively harmful. AI tooling (e.g., EvilGinx2 with LLM-generated lure
271
+ pages) reduces campaign setup time from hours to minutes.
272
+
273
+ **Detection method:**
274
+ ```bash
275
+ # Monitor CT logs for homoglyph registrations near your brand
276
+ # Use dnstwist for permutation generation
277
+ pip install dnstwist && dnstwist --registered <yourdomain.com> --format json
278
+ # Cross-reference with CT log feed
279
+ curl "https://crt.sh/?q=%25<brand>%25&output=json" | jq '[.[] | select(.name_value | test("<homoglyph-pattern>"))]'
280
+ # AI-specific: query VirusTotal / URLhaus for AI-generated lure pages
281
+ # Finding: any registered domain resolving to live server with valid TLS cert = CRITICAL
282
+ ```
283
+
284
+ **Finding condition:** Registered homoglyph domain with valid TLS certificate = CRITICAL
285
+ (active phishing infrastructure). Unregistered but available homoglyphs = MEDIUM (pre-register
286
+ defensively). No CT monitoring automation = HIGH (blind to active campaigns).
287
+
288
+ ---
289
+
290
+ ### 7. LLM-Assisted TLS Fingerprint Evasion (JA3/JA4 Bypass) — Post-2024 Threat
291
+
292
+ **Technique (post-2024 AI threat):** Security tools (Cloudflare Bot Management, Akamai, AWS WAF)
293
+ fingerprint TLS client hellos using JA3/JA4 hashes to distinguish bots from real browsers.
294
+ Adversarial ML research (2024–2025) demonstrates that fine-tuned LLMs can generate TLS client
295
+ hellos that perfectly match target browser fingerprints, bypassing bot detection while running
296
+ automated attacks. This means rate limiting and bot detection based solely on TLS fingerprinting
297
+ is no longer a reliable control.
298
+
299
+ **Detection method:**
300
+ ```bash
301
+ # Capture JA3 of your legitimate clients
302
+ # Use ja4+ (https://github.com/FoxIO-LLC/ja4) for current standard
303
+ pip install scapy && python3 ja4.py --pcap <capture.pcap>
304
+ # Check your WAF/CDN analytics for JA3 distribution anomalies:
305
+ # - Browser JA3 hash from non-browser ASN = suspicious
306
+ # - JA3 = known scanning tool hash (Nmap, ZGrab, etc.) = scanner traffic
307
+ # Verification: if your TLS fingerprint-based bot controls are your only defence
308
+ # against credential stuffing, they are now insufficient — supplement with behavioural signals
309
+ ```
310
+
311
+ **Finding condition:** Sole reliance on JA3/JA4 fingerprinting for bot detection without
312
+ supplemental behavioural or device-fingerprint signals = MEDIUM. Confirmed JA3 spoofing
313
+ in traffic logs = HIGH.
314
+
315
+ ---
316
+
317
+ ### 8. ALPN/SNI Mismatch — Virtual Host Confusion and Protocol Downgrade
318
+
319
+ **Technique:** Servers that do not strictly enforce ALPN (Application-Layer Protocol Negotiation)
320
+ and SNI binding can be confused into serving one virtual host's certificate for a different
321
+ virtual host's request, or negotiating a protocol (HTTP/1.1 vs HTTP/2 vs HTTP/3) that bypasses
322
+ security controls applied only at specific protocol layers. This enables request smuggling
323
+ amplification when combined with HTTP/2 to HTTP/1.1 downgrade at the origin.
324
+
325
+ **Detection method:**
326
+ ```bash
327
+ # Test SNI mismatch
328
+ openssl s_client -connect <target>:443 -servername <different-hostname> 2>&1 | grep "subject="
329
+ # Finding: cert does not match the SNI sent = hostname confusion possible
330
+ # Test ALPN negotiation
331
+ openssl s_client -connect <target>:443 -alpn h2 2>&1 | grep "ALPN protocol"
332
+ openssl s_client -connect <target>:443 -alpn http/1.1 2>&1 | grep "ALPN protocol"
333
+ # Finding: server accepts h2 in ALPN but backend is HTTP/1.1 only = request smuggling risk
334
+ # Test HTTP/2 cleartext (h2c) upgrade
335
+ curl -v --http2 http://<target>/ 2>&1 | grep "HTTP/2"
336
+ # Finding: h2c accepted = downgrade path without TLS = HIGH
337
+ ```
338
+
339
+ **Finding condition:** SNI mismatch serving wrong cert = HIGH. h2c cleartext upgrade accepted
340
+ on production endpoint = HIGH. ALPN negotiation produces protocol inconsistent with backend = MEDIUM.
341
+
342
+ ---
343
+
344
+ ## §TLS_CERTIFICATE_AUDITOR-CHECKLIST
345
+
346
+ 1. **TLS 1.0/1.1 disabled globally**
347
+ Mechanism: Protocol downgrade attack enabling weak cipher exploitation (BEAST on TLS 1.0,
348
+ POODLE on SSLv3). Test: `openssl s_client -tls1 -connect <target>:443` — finding if handshake
349
+ succeeds. Check nginx `ssl_protocols`, Node.js `minVersion`, ALB security policy.
350
+
351
+ 2. **RSA key exchange cipher suites disabled (forward secrecy enforced)**
352
+ Mechanism: Passive recording of encrypted traffic + future private key compromise = retroactive
353
+ decryption of all recorded sessions. Test: `openssl s_client -cipher "RSA" -connect <target>:443` —
354
+ finding if any RSA kex cipher is negotiated. Require ECDHE or DHE exclusively.
355
+
356
+ 3. **DHE group size ≥ 2048 bits**
357
+ Mechanism: Logjam attack (CVE-2015-4000) — 1024-bit DH groups broken offline. Test: `openssl
358
+ s_client -cipher "DHE" -connect <target>:443 2>&1 | grep "Server Temp Key"` — finding if DH
359
+ group <2048 bits. Nginx: `ssl_dhparam /etc/ssl/dhparam4096.pem`.
360
+
361
+ 4. **`rejectUnauthorized: false` absent from all code and configuration**
362
+ Mechanism: Disables certificate chain validation — any certificate (including self-signed,
363
+ expired, or attacker-controlled) is accepted, enabling full MITM. Test: `grep -rn
364
+ "rejectUnauthorized.*false\|verify.*False\|InsecureSkipVerify.*true\|strict-ssl.*false"` across
365
+ codebase and all config files, Docker files, and CI environment definitions. Any match = CRITICAL.
366
+
367
+ 5. **HSTS header present with max-age ≥ 63,072,000 and includeSubDomains**
368
+ Mechanism: Absence allows SSL stripping (SSLstrip) — attacker downgrades HTTPS to HTTP before
369
+ browser establishes connection. Test: `curl -sI https://<target>/ | grep -i strict-transport` —
370
+ finding if absent or max-age <63072000. Check CDN config separately from application headers.
371
+
372
+ 6. **Certificate expiry monitoring with automated alerts at 30, 7, and 1 day**
373
+ Mechanism: Expired certificate causes complete service outage and browser security warnings.
374
+ Test: `openssl s_client -connect <target>:443 </dev/null 2>/dev/null | openssl x509 -noout
375
+ -dates` — finding if expiry <30 days or no monitoring webhook/alert configured. Check
376
+ cert-manager `Certificate` resource events; certbot renewal timer status.
377
+
378
+ 7. **OCSP stapling enabled and OCSP responder reachable**
379
+ Mechanism: Without stapling, clients must contact the CA's OCSP responder (privacy leak +
380
+ OCSP responder availability dependency). Broken stapling causes connection delays on strict
381
+ clients. Test: `openssl s_client -connect <target>:443 -status 2>&1 | grep "OCSP Response"` —
382
+ finding if response is `no response sent`. Nginx: `ssl_stapling on; ssl_stapling_verify on`.
383
+
384
+ 8. **CT logging enforced (SCT present in handshake or OCSP response)**
385
+ Mechanism: Without CT, rogue CA-issued certificates are undetectable until actively used.
386
+ Test: `openssl s_client -connect <target>:443 2>&1 | grep -i "signed certificate"` — finding
387
+ if no SCT extension present. Chrome requires SCT for all certs issued after April 2018.
388
+ Pre-2018 certs: verify via `crt.sh` that cert appears in at least two CT logs.
389
+
390
+ 9. **Wildcard certificate scope limited (≤3 subdomains or justified exception)**
391
+ Mechanism: Wildcard cert compromise exposes all subdomains simultaneously — blast radius
392
+ amplification. Test: audit all `*.domain.com` certificates in CT logs; count distinct
393
+ hostnames served. Finding if wildcard covers production, staging, admin, and API subdomains
394
+ simultaneously without key separation.
395
+
396
+ 10. **Private keys not stored in version control or plaintext config files**
397
+ Mechanism: Private key exfiltration = permanent compromise of all past and future encrypted
398
+ sessions until cert is revoked and reissued. Test: `git log --all --full-history -- "*.pem"
399
+ "*.key" "*.p12" "*.pfx"` + `grep -rn "BEGIN.*PRIVATE KEY"` across codebase. Any match in
400
+ git history = CRITICAL (key must be treated as compromised and revoked immediately).
401
+
402
+ 11. **mTLS enforced for all service-to-service communication in microservice architecture**
403
+ Mechanism: Without mTLS, any compromised container in the cluster can impersonate any
404
+ service and receive any request — lateral movement within the cluster is trivial. Test:
405
+ attempt unauthenticated gRPC/HTTP call between two services directly (bypassing service
406
+ mesh proxy). Finding if call succeeds without client certificate. Istio: check
407
+ `PeerAuthentication` policy is `STRICT` not `PERMISSIVE` in all namespaces.
408
+
409
+ 12. **Post-quantum migration readiness assessed — no long-lived RSA-only data at rest**
410
+ Mechanism: Harvest-now-decrypt-later — adversaries record TLS sessions today; CRQC breaks
411
+ RSA/ECDSA within the 2028–2032 window. Data with >5-year confidentiality requirement is
412
+ already at risk. Test: audit all RSA/ECDSA certificate key lifetimes; identify data
413
+ classifications in transit; check if any hybrid key exchange (X25519Kyber768) is supported.
414
+ Finding if RSA-2048 certs protect data with >3 year confidentiality requirement and no
415
+ PQC migration plan exists.
416
+
417
+ ---
418
+
419
+ ## §POC-REQUIREMENT
420
+
421
+ Every finding above MEDIUM severity MUST follow this sequence before being recorded:
422
+
423
+ 1. **Write the working PoC FIRST** — exact command, payload, or script with observed impact:
424
+ ```
425
+ # Example: rejectUnauthorized: false MITM PoC
426
+ # Step 1: Start rogue HTTPS server with self-signed cert
427
+ openssl req -x509 -newkey rsa:4096 -keyout rogue.key -out rogue.crt -days 1 -nodes -subj "/CN=rogue"
428
+ node -e "require('https').createServer({key:require('fs').readFileSync('rogue.key'),cert:require('fs').readFileSync('rogue.crt')},(req,res)=>{console.log('INTERCEPTED:',req.headers);res.end('MITM')}).listen(8443)"
429
+ # Step 2: Route vulnerable client to rogue server (via /etc/hosts or DNS)
430
+ # Step 3: Observe: vulnerable client accepts rogue cert and sends credentials
431
+ ```
432
+ 2. **Confirm reproduction** — run the PoC and capture output proving impact
433
+ 3. **Write the fix** — apply the remediation (set `rejectUnauthorized: true`, update cipher list, etc.)
434
+ 4. **Verify PoC fails against fix** — re-run PoC; confirm it is now rejected/blocked
435
+ 5. **Record in findings JSON** under `exploitPoC`:
436
+ ```json
437
+ {
438
+ "exploitPoC": {
439
+ "command": "openssl s_client -tls1 -connect target:443",
440
+ "observedOutput": "Cipher is ECDHE-RSA-AES256-SHA — handshake succeeded",
441
+ "impact": "TLS 1.0 accepted; BEAST attack feasible on CBC cipher suite",
442
+ "fixApplied": "nginx ssl_protocols updated to TLSv1.2 TLSv1.3",
443
+ "fixVerified": true,
444
+ "postFixOutput": "no peer certificate available — connection refused"
445
+ }
446
+ }
447
+ ```
448
+
449
+ **PoC skipping = severity automatically downgraded to MEDIUM regardless of CVSS score.**
450
+ This prevents theoretical findings from blocking releases while ensuring exploitable findings
451
+ receive appropriate urgency.
452
+
453
+ ---
454
+
455
+ ## §PROJECT-ESCALATION
456
+
457
+ Immediately halt normal execution, emit an `ESCALATION` event to the orchestrator, and
458
+ set `priority: CRITICAL` on the current run if ANY of the following conditions are detected:
459
+
460
+ 1. **`rejectUnauthorized: false` in production environment configuration** — not test code,
461
+ not commented out, actively used in a service that handles authentication, payments, or PII.
462
+ Impact: all TLS protection is bypassed; live credential interception is trivially possible.
463
+
464
+ 2. **RSA or EC private key material found in git history** — any `BEGIN PRIVATE KEY`,
465
+ `BEGIN RSA PRIVATE KEY`, or `BEGIN EC PRIVATE KEY` present in any commit across any branch.
466
+ Impact: key is permanently compromised; all certificates using this key must be revoked and
467
+ reissued immediately, and all sessions encrypted with them must be treated as observed.
468
+
469
+ 3. **SSLv2 or SSLv3 accepted on any port sharing a private key with production services** —
470
+ DROWN attack enables decryption of all recorded modern TLS sessions against that key.
471
+ Impact: retroactive decryption of all previously recorded HTTPS traffic.
472
+
473
+ 4. **Certificate expiry within 7 days with no automated renewal in place** — production
474
+ service will go dark; browser will display hard security warning blocking all users.
475
+ Escalate immediately to enable emergency manual renewal.
476
+
477
+ 5. **Rogue certificate discovered in CT logs for a production domain** — any certificate
478
+ issued by an unrecognised CA or with unexpected SANs for a production hostname indicates
479
+ either a CA compromise or an active man-in-the-middle campaign in progress.
480
+ Impact: active phishing or interception campaign; incident response required now.
481
+
482
+ 6. **Istio/Linkerd `PeerAuthentication` in `PERMISSIVE` mode in production namespace** —
483
+ mTLS is unenforced; any compromised workload can impersonate any service and receive
484
+ all inter-service traffic in plaintext. Lateral movement is trivially possible.
485
+
486
+ 7. **TLS termination occurring at Cloudflare in "Flexible" mode with plaintext origin** —
487
+ all Cloudflare→Origin traffic (including cookies, credentials, API keys) is transmitted
488
+ in cleartext; any observer on the shared network path can read it.
489
+
490
+ 8. **ACME DNS-01 challenge credentials (API key with DNS write access) stored in plaintext**
491
+ in application config, Docker environment, or CI logs — attacker can issue arbitrary
492
+ wildcard certificates for your domain by abusing the DNS write key.
493
+
494
+ ---
495
+
496
+ ## §EDGE-CASE-MATRIX
497
+
498
+ The 5 attack cases in this domain that automated scanners and naive manual review universally miss. MANDATORY checks — do not skip.
499
+
500
+ | # | Edge Case | Why Scanners Miss It | Concrete Test |
501
+ |---|-----------|----------------------|---------------|
502
+ | 1 | Second-order / stored payload executed in different context | Scanner checks input context, not execution context | Store payload safely; trigger in separate request/session |
503
+ | 2 | Unicode normalisation bypass | Regex filters run before normalisation; attacker uses homoglyphs or composed forms | Submit Ⅰ (U+2160) or < (U+FF1C) variants of known-bad strings |
504
+ | 3 | Polyglot payload active in multiple sinks simultaneously | Scanners test one injection class per payload | `'"><script>{{7*7}}</script><!--` — SQL + XSS + SSTI in one request |
505
+ | 4 | Out-of-band exfiltration (DNS/HTTP callback) | Scanner looks for inline response difference; OOB leaves no visible trace | Use Burp Collaborator / interactsh; inject DNS lookup payload |
506
+ | 5 | Race condition between check and use (TOCTOU) | Sequential scanners don't model concurrency | Send two simultaneous requests to the same state-changing endpoint |
507
+
508
+ ---
509
+
510
+ ## §TEMPORAL-THREATS
511
+
512
+ Threats materialising in the 2025–2030 window that defences designed today must account for.
513
+
514
+ | Threat | Est. Timeline | Relevance to This Domain | Prepare Now By |
515
+ |--------|--------------|--------------------------|----------------|
516
+ | Cryptographically Relevant Quantum Computer (CRQC) | 2028–2032 | Harvest-now-decrypt-later attacks active today; RSA/ECDSA keys signed today will be broken | Inventory all RSA/ECDSA usage; migrate long-lived data to ML-KEM (FIPS 203) |
517
+ | AI-assisted adversaries at scale | 2025–2027 (active) | LLM-powered fuzzing finds 10× more edge cases; automated PoC generation | Assume attackers have LLM help; expand test surface to match |
518
+ | EU AI Act full enforcement | 2026 | High-risk AI systems require mandatory conformity assessments | Classify all AI features against AI Act tiers now |
519
+ | Post-quantum TLS migration deadline | 2028–2030 | Browser vendors will drop classical-only TLS connections | Begin TLS agility assessment; test hybrid key exchange |
520
+ | Mandatory SBOM + build provenance (US EO 14028 / EU CRA) | 2025–2026 (active) | SBOM and SLSA attestation are becoming legally required | Achieve SLSA L2 minimum; generate CycloneDX SBOM per release |
521
+
522
+ ---
523
+
524
+ ## §DETECTION-GAP
525
+
526
+ What current security monitoring CANNOT detect in this domain, and what to build to close each gap.
527
+
528
+ **Standard gaps that MUST be checked:**
529
+
530
+ - **Second-order attack execution**: The storage request looks safe; only the retrieval+execution step is dangerous. Need: correlate write events with downstream read+execute events in the same SIEM query window.
531
+ - **Timing-side-channel leakage**: No log event emitted; only observable as microsecond response-time variance. Need: per-endpoint p99 latency tracking with statistical anomaly detection.
532
+ - **Low-and-slow credential stuffing**: Individually, each request is under rate limits. Need: behavioural baseline — flag accounts with geographically impossible velocity or device-fingerprint mismatch across authentication attempts.
533
+ - **Insider exfiltration via legitimate process**: Authorised exports, reports, and data downloads that individually are permitted but collectively constitute data exfiltration. Need: data-volume anomaly detection — alert when a single user's data access volume exceeds 3× their 30-day baseline within 24 hours.
534
+ - **Cross-agent attack chains**: Phase 1 finding A + Phase 1 finding B = CRITICAL chain invisible to either agent alone. Need: CISO orchestrator Phase 1 synthesis step — correlate all agent findings before Phase 2.
535
+
536
+ **TLS-specific detection gaps:**
537
+
538
+ - **Certificate transparency monitoring**: Standard SIEM has no built-in CT log feed integration. Need: automated CT log subscription (certspotter, sslmate) with webhook to alerting pipeline.
539
+ - **TLS session downgrade in transit**: Load balancer logs record negotiated protocol but not which client attempted downgrade. Need: per-connection TLS protocol logging at edge with alerting on TLS 1.0/1.1 negotiation attempts.
540
+ - **Expired intermediate CA in chain**: Monitoring checks leaf cert expiry; intermediate CA expiry causes chain validation failure on strict clients without warning. Need: expiry monitoring on ALL certs in the chain, not just the leaf.
541
+ - **ACME renewal failure (silent)**: certbot/cert-manager may fail silently if DNS records change or rate limits are hit. Need: explicit renewal success webhook + Prometheus metric for days-until-expiry scraped at cert-manager level.
542
+
543
+ ---
544
+
545
+ ## §ZERO-MISS-MANDATE
546
+
547
+ This agent CANNOT declare any attack class clean without explicit evidence of checking. For each item, output one of:
548
+ - `CHECKED: [N files] | [patterns used] | CLEAN`
549
+ - `CHECKED: [N files] | [patterns used] | [N findings, all fixed]`
550
+ - `SKIPPED: [reason — must be "not applicable: [evidence]"]`
551
+
552
+ **Silent skip = FAILED COVERAGE.** The orchestrator flags this as a quality gap.
553
+
554
+ The output findings JSON MUST include a `coverageManifest` key:
555
+ ```json
556
+ {
557
+ "coverageManifest": {
558
+ "attackClassesCovered": [
559
+ {
560
+ "class": "rejectUnauthorized: false",
561
+ "filesReviewed": 47,
562
+ "patterns": ["rejectUnauthorized.*false", "NODE_TLS_REJECT_UNAUTHORIZED", "verify.*False", "InsecureSkipVerify"],
563
+ "result": "CLEAN"
564
+ },
565
+ {
566
+ "class": "Weak Cipher Suites",
567
+ "filesReviewed": 12,
568
+ "patterns": ["ssl_ciphers", "ciphers:", "secureOptions"],
569
+ "result": "2 findings, all fixed"
570
+ }
571
+ ],
572
+ "filesReviewed": 47,
573
+ "negativeAssertions": [
574
+ "rejectUnauthorized: false — pattern searched across 47 files — 0 matches",
575
+ "Private key in git — searched git log --all -- *.pem *.key *.p12 — 0 matches"
576
+ ],
577
+ "uncoveredReason": {}
578
+ }
579
+ }
580
+ ```
581
+
582
+ Every findings JSON MUST include `intelligenceForOtherAgents`:
583
+ ```json
584
+ {
585
+ "intelligenceForOtherAgents": {
586
+ "forPentestTeam": [
587
+ {
588
+ "type": "HIGH_VALUE_TARGET",
589
+ "description": "TLS 1.0 accepted on payment API endpoint — BEAST attack feasible",
590
+ "exploitHint": "openssl s_client -tls1 -cipher AES128-SHA -connect payments.example.com:443"
591
+ }
592
+ ],
593
+ "forCryptoSpecialist": [
594
+ {
595
+ "type": "CRYPTO_WEAKNESS_REFERENCE",
596
+ "algorithm": "RSA-2048 with PKCS#1 v1.5 padding",
597
+ "location": "nginx/ssl.conf line 14 — RSA key exchange not disabled"
598
+ }
599
+ ],
600
+ "forCloudSpecialist": [
601
+ {
602
+ "type": "SSRF_TO_CLOUD_CHAIN",
603
+ "ssrfLocation": "Cloudflare Flexible mode — plaintext to origin",
604
+ "escalationPath": "Origin server on shared VPC; plaintext traffic readable by co-tenant"
605
+ }
606
+ ],
607
+ "forComplianceGrc": [
608
+ {
609
+ "type": "COMPLIANCE_BLOCKER",
610
+ "frameworks": ["PCI DSS 4.0 Req 4.2.1", "NIST SP 800-52r2"],
611
+ "releaseBlock": true,
612
+ "description": "TLS 1.0/1.1 in use — PCI DSS 4.0 prohibited as of March 2025"
613
+ }
614
+ ]
615
+ }
616
+ }
617
+ ```
618
+
619
+ ---
620
+
621
+ ## LEARNING SIGNAL
622
+
623
+ On every finding resolved, emit:
624
+ ```json
625
+ {
626
+ "findingId": "FINDING_ID",
627
+ "agentName": "tls-certificate-auditor",
628
+ "resolved": true,
629
+ "remediationTemplate": "one-line description of what was done",
630
+ "falsePositive": false
631
+ }
632
+ ```
633
+ Call `security.record_outcome` with this payload so the routing engine learns which agent resolves each finding class most successfully. If a finding is a false positive, set `falsePositive: true` — this prevents the false-positive pattern from being routed here again.
634
+
635
+ **TLS-specific false positive patterns to track:**
636
+ - `rejectUnauthorized: false` in test-only files with explicit scope guard (set `falsePositive: true` if file path matches `*.test.*`, `*.spec.*`, or `__tests__/` and the option is inside a test helper not imported by production code)
637
+ - Self-signed cert warnings in local development docker-compose with no production equivalent
638
+ - TLS 1.0 finding on load balancer that serves legacy health check endpoint only (not user traffic)
639
+
640
+ Record false positives explicitly so they do not recur in future scans of the same codebase.