A sink is a function where untrusted input can cause harm, such as executing commands, evaluating code, or running SQL.

How do I start a dangerous functions search?

Identify the application's language, load the language-specific reference, grep for sink patterns across relevant files, and document findings with context.

What should be included in the sink catalog?

File path, line number, function name, input sources (when visible), context, and an initial risk assessment.

Dangerous Functions

npx machina-cli add skill allsmog/vuln-scout/dangerous-functions --openclaw

Files (1)

SKILL.md

5.1 KB

Dangerous Functions Reference

Purpose

Provide comprehensive knowledge of security-sensitive functions (sinks) across programming languages for whitebox penetration testing. These functions are common targets during code review because improper use leads to critical vulnerabilities.

When to Use

Activate this skill during:

Code review phase of whitebox pentesting
Searching for potential vulnerability entry points
Building grep patterns for sink identification
Understanding language-specific security risks

Core Concepts

Sources vs Sinks

Sources: Entry points where user input enters the application

HTTP parameters, headers, cookies
File uploads, database reads
Environment variables, command-line arguments

Sinks: Functions where malicious input causes damage

Command execution, SQL queries
File operations, deserialization
Code evaluation, template rendering

Risk Categories

Category	Impact	Common Languages
Command Injection	Remote Code Execution	All
Code Injection	Remote Code Execution	PHP, Python, JS
SQL Injection	Data breach	All with databases
Deserialization	Remote Code Execution	Java, PHP, Python, .NET
File Operations	LFI/RFI/Arbitrary Write	All
SSRF	Internal network access	All
Template Injection	Remote Code Execution	Python, Java, JS
Reentrancy	Fund theft	Solidity
Flash Loan Attacks	Price/state manipulation	Solidity
Access Control	Privilege escalation	Solidity

Methodology

Step 1: Identify Application Language

Determine the primary language(s) used:

Check file extensions (.php, .java, .py, .js, .cs, .go, .rb)
Review package managers (composer.json, pom.xml, requirements.txt, package.json)
Check framework indicators

Step 2: Load Language-Specific Reference

Consult the appropriate reference file for comprehensive sink lists:

references/php-sinks.md for PHP applications
references/java-sinks.md for Java applications
references/python-sinks.md for Python applications
references/javascript-sinks.md for Node.js/JavaScript
references/dotnet-sinks.md for .NET/C# applications
references/go-ruby-sinks.md for Go and Ruby
references/rust-sinks.md for Rust applications
references/kotlin-sinks.md for Kotlin/Android applications
references/swift-sinks.md for Swift/iOS applications
references/solidity-sinks.md for Solidity smart contracts

Step 3: Search for Sinks

Use Grep tool to search for dangerous functions:

Search one category at a time (command, code, SQL, file, etc.)
Use case-insensitive search for better coverage
Include all relevant file extensions

Step 4: Catalog Findings

For each identified sink, document:

File path and line number
Function name and context
Input sources (if visible)
Initial risk assessment

Step 5: Prioritize for Testing

Rank findings using this framework:

Priority	Criteria
Critical	Direct user input reaches sink
High	Database/file data (user-controlled) reaches sink
Medium	Authenticated user input reaches sink
Low	Admin-only input reaches sink
Info	Hardcoded values only

Prioritization Framework

When reviewing identified sinks, consider:

Input Proximity: How close is user input to the sink?
Authentication: Does exploitation require authentication?
Privilege Level: What access level is needed?
Impact: What can an attacker achieve?
Exploitability: Are there filters or sanitization?

Additional Resources

Reference Files

For comprehensive function lists by language, consult:

references/php-sinks.md - PHP dangerous functions with grep patterns
references/java-sinks.md - Java dangerous functions with grep patterns
references/python-sinks.md - Python dangerous functions with grep patterns
references/javascript-sinks.md - JavaScript/Node.js dangerous functions
references/dotnet-sinks.md - .NET/C# dangerous functions
references/go-ruby-sinks.md - Go and Ruby dangerous functions
references/rust-sinks.md - Rust dangerous functions (unsafe, FFI, etc.)
references/kotlin-sinks.md - Kotlin/Android dangerous functions
references/swift-sinks.md - Swift/iOS dangerous functions
references/solidity-sinks.md - Solidity smart contract sinks (reentrancy, access control, flash loans)

Integration with Other Skills

Use vuln-patterns skill for exploitation techniques per vulnerability type
Use data-flow-tracing skill to trace input from sources to identified sinks
Use exploit-techniques skill to develop PoC for confirmed vulnerabilities

Source

git clone https://github.com/allsmog/vuln-scout/blob/main/whitebox-pentest/skills/dangerous-functions/SKILL.mdView on GitHub

Overview

Dangerous Functions helps whitebox pentesters identify security-sensitive sinks across languages. It covers sources and sinks, risk categories, and a methodology to locate, document, and prioritize dangerous functions that can lead to command execution, SQL injection, or deserialization vulnerabilities.

How This Skill Works

Begin by identifying the application's language, then load the corresponding language reference with known sinks. Use a Grep-like search across relevant file extensions to locate dangerous function calls, document context and inputs, and then prioritize findings using the provided framework.

When to Use It

During the code review phase of whitebox pentesting to spot vulnerable entry points.
When searching for potential vulnerability entry points across the codebase.
When building grep patterns to identify sink usage.
When understanding language-specific security risks and sinks.
When compiling a prioritized list of sinks for remediation.

Quick Start

Step 1: Identify application language and load the matching reference file.
Step 2: Run a case-insensitive grep search for known sink patterns across all relevant file extensions.
Step 3: Catalog findings with context (file, line, function) and prioritize for remediation.

Best Practices

Identify the primary language and map to the correct reference file.
Search one sink category at a time (command, code, SQL, file, etc.) using case-insensitive patterns.
Include all relevant file extensions in your scans.
For each sink, record file path, line number, function name, and input sources (if visible).
Prioritize findings using the Risk framework (Critical to Info) and plan remediation.

Example Use Cases

PHP: system(), exec(), shell_exec()
Python: os.system(), subprocess.Popen(), eval()
Java: Runtime.getRuntime().exec(), ProcessBuilder
Node.js: child_process.exec(), execFile()
java.sql.Statement.execute with unparameterized user input (SQL sink)

Frequently Asked Questions

Add this skill to your agents