What is Vulnerability Patterns used for?

It helps you recognize and understand common web vulnerability patterns during whitebox pentesting and code review, guiding exploitation and mitigation.

Which vulnerability types does it cover?

SQL Injection, Command Injection, Cross-Site Scripting (XSS), Path Traversal/LFI, Deserialization, and other OWASP-aligned classes.

How does this integrate with OWASP Top 10 2025?

It references the OWASP categories and maps indicators and risk to specific items (e.g., A05 Injection, A07 Authentication Failures), to prioritize findings.

Vulnerability Patterns

npx machina-cli add skill allsmog/vuln-scout/vuln-patterns --openclaw

Files (1)

SKILL.md

7.0 KB

Vulnerability Patterns Reference

Purpose

Provide comprehensive knowledge of common web vulnerability patterns for whitebox penetration testing. Understanding these patterns enables identification of security flaws during code review and guides exploitation techniques.

When to Use

Activate this skill when:

Analyzing potential vulnerabilities found during sink search
Understanding how specific vulnerability classes work
Determining exploitability of identified code patterns
Learning attack techniques for specific vulnerability types

OWASP Top 10 2025 Overview

Rank	Category	Code Indicators	Related Skill
A01	Broken Access Control	Missing auth checks, IDOR patterns	`business-logic`
A02	Security Misconfiguration	Debug enabled, default creds	`security-misconfiguration`
A03	Software Supply Chain	Dependency vulns, build pipeline	(out of scope)
A04	Cryptographic Failures	Weak algorithms, hardcoded keys	`cryptographic-failures`
A05	Injection	User input in queries/commands	`vuln-patterns` (this skill)
A06	Insecure Design	Logic flaws, missing controls	`business-logic`
A07	Authentication Failures	Weak session, credential issues	`vuln-patterns` (this skill)
A08	Data Integrity Failures	Deserialization, CI/CD issues	`vuln-patterns` (this skill)
A09	Logging & Alerting Failures	Missing logs, log injection	`logging-failures`
A10	Mishandling of Exceptions	XXE, error disclosure	`exception-handling`

See owasp-2025 skill for complete mapping with CWE references.

Core Vulnerability Categories

SQL Injection (SQLi)

Pattern: User input concatenated into SQL queries

Indicators:

String concatenation in query construction
Template literals/f-strings in SQL
Missing parameterized queries
Raw/native query methods

Exploitation Flow:

Identify injection point
Determine database type
Test with basic payloads
Extract data or escalate

Risk Impact: Data breach, authentication bypass, RCE (in some cases)

Command Injection

Pattern: User input passed to system command functions

Indicators:

Command execution functions with user data
Shell metacharacters not filtered
Insufficient input validation

Exploitation Flow:

Identify command execution sink
Trace user input to sink
Test command separators
Chain commands for exploitation

Risk Impact: Remote Code Execution, full system compromise

Cross-Site Scripting (XSS)

Types:

Reflected: Input reflected in response
Stored: Input persisted and displayed
DOM-based: Client-side JavaScript manipulation

Indicators:

User input in HTML output without encoding
Dynamic HTML insertion with user data
Missing output encoding

Risk Impact: Session hijacking, credential theft, malware distribution

Path Traversal / LFI

Pattern: User input in file path operations

Indicators:

File inclusion with user-controlled path
File read/write with user input
Missing path validation

Exploitation Flow:

Identify file operation with user input
Test traversal sequences
Target sensitive files
Chain with other vulnerabilities

Risk Impact: Information disclosure, source code leak, potential RCE

Deserialization

Pattern: Untrusted data passed to deserialization functions

Indicators:

Deserialization functions with user data
User-controlled serialized data
Missing type validation

Exploitation Flow:

Identify deserialization sink
Find gadget chains
Craft malicious payload
Achieve code execution

Risk Impact: Remote Code Execution

Server-Side Request Forgery (SSRF)

Pattern: User-controlled URLs in server-side requests

Indicators:

HTTP client with user-provided URL
URL validation bypass possibilities
Internal network access

Exploitation Flow:

Identify HTTP request with user URL
Test internal endpoints
Bypass URL validation
Access internal services

Risk Impact: Internal network access, cloud metadata exposure

SSRF Exfiltration Vectors

When SSRF response is not directly returned to the attacker, consider these exfiltration methods:

Vector	How It Works	Detection
External Callback	SSRF visits attacker-controlled URL with data	Check if outbound requests are allowed
DNS Exfiltration	Data encoded in subdomain (e.g., `secret.evil.com`)	Works even with firewall restrictions
Cache Poisoning	Response cached, retrieved later by attacker	Check proxy cache config for static extensions
Error-Based	Error messages leak response data	Check error handling and logging
Timing/Blind	Response time reveals information	Measure response latency variations
File Write	Write response to accessible location	Check for file write primitives

Cache-Based Exfiltration Pattern (commonly missed):

1. SSRF makes request to /sensitive-endpoint.png
2. Proxy caches response (thinks it's static file)
3. Attacker requests /sensitive-endpoint.png
4. Gets cached sensitive data

See cache-poisoning skill for detailed detection patterns.

Template Injection (SSTI)

Pattern: User input rendered in server-side templates

Indicators:

Template rendering with user-controlled template
Template syntax in user input

Exploitation Flow:

Identify template rendering point
Test template syntax
Determine template engine
Escalate to RCE

Risk Impact: Remote Code Execution

Vulnerability Identification Framework

Step 1: Sink Identification

Use the dangerous-functions skill to find security-sensitive functions.

Step 2: Source Tracing

Use the data-flow-tracing skill to trace user input to sinks.

Step 3: Pattern Matching

Match code patterns against known vulnerability types.

Step 4: Exploitability Assessment

Consider filters, authentication, impact, and bypass potential.

Additional Resources

Reference Files

For detailed exploitation techniques:

references/injection-attacks.md - SQLi, Command Injection, LDAP Injection
references/deserialization-attacks.md - PHP, Java, Python, .NET gadgets
references/access-control.md - IDOR, privilege escalation, authorization bypass
references/auth-bypass.md - Authentication bypass, session attacks, JWT flaws
references/race-conditions.md - TOCTOU, double-spend, concurrency vulnerabilities

Integration with Other Skills

Use dangerous-functions to identify sinks
Use data-flow-tracing to trace sources to sinks
Use exploit-techniques to develop working PoC

Source

git clone https://github.com/allsmog/vuln-scout/blob/main/whitebox-pentest/skills/vuln-patterns/SKILL.mdView on GitHub

Overview

Vulnerability Patterns provides comprehensive knowledge of common web vulnerability patterns for whitebox pentesting. It helps you identify security flaws during code review and guides exploitation techniques across categories like SQLi, XSS, command injection, and path traversal, aligned with OWASP Top 10 2025.

How This Skill Works

The skill catalogs core patterns, indicators, and exploitation flows for each vulnerability class (SQL Injection, Command Injection, XSS, Path Traversal/LFI, Deserialization). Analysts use these mappings during code reviews and sink analyses to detect where user input interacts with sensitive operations, then validate exploitability with targeted payloads.

When to Use It

Analyzing potential vulnerabilities found during sink search.
Understanding how specific vulnerability classes work.
Determining exploitability of identified code patterns.
Learning attack techniques for specific vulnerability types.
Reviewing OWASP Top 10 2025 categories and mappings during findings.

Quick Start

Step 1: Locate sinks and sources where user data enters queries, commands, or output.
Step 2: Verify indicators and test with representative payloads per pattern.
Step 3: Classify the pattern, assess exploitability, and capture remediation ideas.

Best Practices

Map each pattern to actual code points: sources, sinks, and sanitizers.
Prefer parameterized queries and safe APIs for all inputs to prevent pattern exploitation.
Validate inputs at boundaries and test with multiple payload types per pattern.
Document indicators: query strings, command sinks, HTML outputs, and serialization calls.
Use isolated testing environments and avoid destructive payloads in production.

Example Use Cases

SQL Injection in a legacy app concatenating user input into SQL.
Command Injection via unsanitized OS command execution.
XSS in a reflected login form.
Path Traversal/LFI in a file downloader that uses user-supplied paths.
Deserialization of untrusted data leading to code execution in a Java app.

Frequently Asked Questions

Add this skill to your agents