Security vulnerability detection and variant analysis skill. Use when hunting for dangerous APIs, footgun patterns, error-prone configurations, and vulnerability variants across codebases. Combines sharp edges detection with variant hunting methodology.
A comprehensive security audit skill for identifying dangerous APIs, footgun patterns, error-prone configurations, and hunting for vulnerability variants across codebases. Inspired by Trail of Bits' sharp-edges and variant-analysis methodologies.
Overview
VulnHunter combines two powerful security analysis techniques:
Variant Analysis - Find similar vulnerabilities across codebases using pattern-based analysis
When to Use VulnHunter
Activate this skill when:
Conducting security code reviews or audits
Reviewing third-party dependencies for dangerous patterns
Hunting for variants of known vulnerabilities
Assessing API design for security footguns
Pre-audit reconnaissance of unfamiliar codebases
Sharp Edges Detection
Categories of Sharp Edges
1. Dangerous Default Configurations
Look for configurations that are insecure by default:
- CORS: Access-Control-Allow-Origin: *
- Debug modes enabled in production
- Default credentials or API keys
- Permissive file permissions (777, 666)
- SSL/TLS verification disabled
- Insecure deserialization settings
2. Error-Prone APIs
Memory Safety:
// Dangerous: No bounds checking
strcpy(), strcat(), sprintf(), gets()
memcpy() without size validation
// Safer alternatives
strncpy(), strncat(), snprintf(), fgets()
memcpy_s() with explicit size
Cryptography Footguns:
- ECB mode encryption
- MD5/SHA1 for security purposes
- Hardcoded IVs or salts
- Custom crypto implementations
- Random without CSPRNG (Math.random for tokens)
Concurrency Issues:
- Race conditions in file operations
- Time-of-check to time-of-use (TOCTOU)
- Double-checked locking anti-patterns
- Non-atomic increment/decrement operations
3. Language-Specific Footguns
JavaScript/TypeScript:
// Dangerous patterns
eval(), new Function(), setTimeout(string)
innerHTML, outerHTML, document.write()
Object.assign() for deep clone (shallow only!)
== instead of === (type coercion)
Python:
# Dangerous patterns
pickle.loads(untrusted) # RCE vector
yaml.load(untrusted) # Use safe_load
exec(), eval()
os.system(), subprocess with shell=True
Rust:
// Patterns requiring extra scrutiny
unsafe { }
.unwrap() in production code
mem::transmute()
raw pointer dereference
Solidity/Smart Contracts:
// High-risk patterns
tx.origin for authentication // Phishing vulnerable
delegatecall to untrusted // Storage collision
selfdestruct // Permanent destruction
block.timestamp for randomness // Miner manipulable
Race conditions - TOCTOU, concurrent state modification
Information disclosure - Verbose errors, debug endpoints
Deserialization - Untrusted data unmarshaling
Path traversal - User-controlled file paths
SSRF vectors - User-controlled URLs, redirects
Variant Analysis
The Variant Hunting Process
Identify the Root Cause - Understand WHY a vulnerability exists
Extract the Pattern - What code structure enables it?
Generalize the Pattern - Create regex/AST patterns
Search Codebase - Hunt for similar structures
Validate Findings - Confirm each variant is exploitable
Pattern Extraction Templates
Template 1: Missing Validation Pattern
Original bug: User input flows to SQL query without sanitization
Pattern: [user_input] -> [sink_function] without [validation_function]
Search for:
- Direct database calls with string concatenation
- ORM raw query methods with user parameters
- Similar data flows in adjacent modules
Template 2: Authentication Bypass
Original bug: Endpoint missing auth middleware
Pattern: Route definition without auth decorator/middleware
Search for:
- Routes defined after the vulnerable one
- Similar API patterns in other modules
- Admin/internal endpoints
Template 3: Race Condition
Original bug: Check-then-act without atomicity
Pattern: if (check_condition()) { act_on_condition() }
Search for:
- File existence checks followed by file operations
- Permission checks followed by privileged actions
- Balance checks followed by transfers