ils15

security-audit

"Security audit and vulnerability detection - OWASP Top 10, input validation, injection attacks"

ils15 9 4 Updated 3mo ago
GitHub

Install

npx skillscat add ils15/mythic-agents/security-audit

Install via the SkillsCat registry.

SKILL.md

Security Audit Skill

OWASP Top 10 Checks

1. Broken Access Control

# ❌ WRONG: No authorization check
@router.delete("/users/{user_id}")
async def delete_user(user_id: int):
    await db.delete(User, user_id)

# ✅ RIGHT: Check permissions
@router.delete("/users/{user_id}")
async def delete_user(user_id: int, current_user: User):
    if user_id != current_user.id and current_user.role != "admin":
        raise HTTPException(403, "Not authorized")
    await db.delete(User, user_id)

2. Cryptographic Failures

# ❌ WRONG: Store plain password
user.password = password

# ✅ RIGHT: Hash password
user.password = hashlib.sha256(password.encode()).hexdigest()
# Better: use bcrypt/argon2
from passlib.context import CryptContext
pwd_context = CryptContext(schemes=["bcrypt"])
user.password = pwd_context.hash(password)

3. Injection Attacks

# ❌ WRONG: SQL injection
query = f"SELECT * FROM users WHERE email = '{email}'"

# ✅ RIGHT: Parameterized queries
query = select(User).where(User.email == email)

4. Insecure Design

  • Input validation on ALL endpoints
  • Rate limiting on sensitive operations
  • CSRF tokens for state changes
  • CORS properly configured

5. Security Misconfiguration

# ❌ WRONG: Debug in production
app = FastAPI(debug=True)

# ✅ RIGHT: Debug only in dev
app = FastAPI(debug=os.getenv("ENVIRONMENT") == "development")

6. Vulnerable & Outdated Components

  • Pin dependencies versions
  • Regular security updates
  • Audit packages: pip audit
  • Use dependabot/renovate

7. Authentication Failures

# ✅ Best Practice: JWT with expiration
token = jwt.encode(
    {
        "sub": user.id,
        "exp": datetime.utcnow() + timedelta(hours=24)
    },
    SECRET_KEY,
    algorithm="HS256"
)

8. Software & Data Integrity Failures

  • Verify package signatures
  • Use HTTPS only
  • Sign API responses (when needed)

9. Logging & Monitoring Failures

# ✅ Log security events
logger.warning(f"Failed login attempt for {email}")
logger.error(f"SQL error encountered: {error_code}")
# BUT: Never log passwords, tokens, PII!

10. Server-Side Request Forgery (SSRF)

  • Validate URLs before fetching
  • Whitelist allowed domains
  • Disabled redirects to internal IPs

Checklist

  • All inputs validated
  • Passwords hashed (bcrypt/argon2)
  • No hardcoded secrets
  • CORS configured properly
  • Rate limiting active
  • Errors don't leak info
  • HTTPS only
  • Security headers set

Categories

Code Review Debugging Security
GitHub

Install

npx skillscat add ils15/mythic-agents/security-audit

Install via the SkillsCat registry.

Recommended Skills

mukul975
analyzing-docker-container-forensics by mukul975
11.4K 1mo ago
mukul975
analyzing-heap-spray-exploitation by mukul975
11.4K 1mo ago
mukul975
analyzing-macro-malware-in-office-documents by mukul975
11.3K 1mo ago
mukul975
analyzing-outlook-pst-for-email-forensics by mukul975
11.2K 1mo ago
mukul975
analyzing-packed-malware-with-upx-unpacker by mukul975
11.2K 1mo ago
mukul975
analyzing-ios-app-security-with-objection by mukul975
11.2K 1mo ago