vulnhunter

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

VulnHunter - Security Vulnerability Detection & Analysis

VulnHunter - 安全漏洞检测与分析

A comprehensive security audit skill for identifying dangerous APIs, footgun patterns, error-prone configurations, and hunting for vulnerability variants across codebases. Inspired by Trail of Bits' sharp-edges and variant-analysis methodologies.

一款全面的安全审计技能，用于识别危险API、易踩坑代码模式、易出错配置，并在代码库中排查漏洞变体。灵感来源于Trail of Bits的尖锐边缘检测与变体分析方法论。

Overview

概述

VulnHunter combines two powerful security analysis techniques:

Sharp Edges Detection - Identify error-prone APIs, dangerous defaults, and footgun designs
Variant Analysis - Find similar vulnerabilities across codebases using pattern-based analysis

VulnHunter结合了两种强大的安全分析技术：

尖锐边缘检测 - 识别易出错API、危险默认配置和易踩坑设计
变体分析 - 使用基于模式的分析在代码库中查找相似漏洞

When to Use VulnHunter

何时使用VulnHunter

Activate this skill when:

Conducting security code reviews or audits
Reviewing third-party dependencies for dangerous patterns
Hunting for variants of known vulnerabilities
Assessing API design for security footguns
Pre-audit reconnaissance of unfamiliar codebases

在以下场景激活此技能：

进行安全代码审查或审计时
审查第三方依赖中的危险模式时
排查已知漏洞的变体时
评估API设计中的安全隐患时
对不熟悉的代码库进行审计前侦察时

Sharp Edges Detection

尖锐边缘检测

Categories of Sharp Edges

尖锐边缘分类

1. Dangerous Default Configurations

1. 危险默认配置

Look for configurations that are insecure by default:

- CORS: Access-Control-Allow-Origin: *
- Debug modes enabled in production
- Default credentials or API keys
- Permissive file permissions (777, 666)
- SSL/TLS verification disabled
- Insecure deserialization settings

查找默认情况下不安全的配置：

- CORS: Access-Control-Allow-Origin: *
- 生产环境中启用调试模式
- 默认凭据或API密钥
- 宽松的文件权限（777, 666）
- 禁用SSL/TLS验证
- 不安全的反序列化设置

2. Error-Prone APIs

2. 易出错API

Memory Safety:

// Dangerous: No bounds checking
strcpy(), strcat(), sprintf(), gets()
memcpy() without size validation

// Safer alternatives
strncpy(), strncat(), snprintf(), fgets()
memcpy_s() with explicit size

Cryptography Footguns:

- ECB mode encryption
- MD5/SHA1 for security purposes
- Hardcoded IVs or salts
- Custom crypto implementations
- Random without CSPRNG (Math.random for tokens)

Concurrency Issues:

- Race conditions in file operations
- Time-of-check to time-of-use (TOCTOU)
- Double-checked locking anti-patterns
- Non-atomic increment/decrement operations

内存安全：

// 危险：无边界检查
strcpy(), strcat(), sprintf(), gets()
memcpy() 无大小验证

// 更安全的替代方案
strncpy(), strncat(), snprintf(), fgets()
带显式大小的memcpy_s()

加密隐患：

- ECB模式加密
- 将MD5/SHA1用于安全场景
- 硬编码IV或盐值
- 自定义加密实现
- 未使用CSPRNG的随机数生成（如用Math.random生成令牌）

并发问题：

- 文件操作中的竞态条件
- 检查时间到使用时间（TOCTOU）问题
- 双重检查锁定反模式
- 非原子性的递增/递减操作

3. Language-Specific Footguns

3. 特定语言隐患

JavaScript/TypeScript:

javascript

// Dangerous patterns
eval(), new Function(), setTimeout(string)
innerHTML, outerHTML, document.write()
Object.assign() for deep clone (shallow only!)
== instead of === (type coercion)

Python:

python

undefined

JavaScript/TypeScript：

javascript

// 危险模式
eval(), new Function(), setTimeout(string)
innerHTML, outerHTML, document.write()
用Object.assign()进行深克隆（实际仅为浅克隆！）
使用==而非===（类型强制转换）

Python：

python

undefined

Dangerous patterns

危险模式

pickle.loads(untrusted) # RCE vector yaml.load(untrusted) # Use safe_load exec(), eval() os.system(), subprocess with shell=True


**Rust:**
```rust
// Patterns requiring extra scrutiny
unsafe { }
.unwrap() in production code
mem::transmute()
raw pointer dereference

Solidity/Smart Contracts:

solidity

// High-risk patterns
tx.origin for authentication  // Phishing vulnerable
delegatecall to untrusted     // Storage collision
selfdestruct                  // Permanent destruction
block.timestamp for randomness // Miner manipulable

pickle.loads(untrusted) # RCE 向量 yaml.load(untrusted) # 应使用safe_load exec(), eval() os.system(), 带shell=True的subprocess


**Rust：**
```rust
// 需要额外检查的模式
unsafe { }
生产代码中的.unwrap()
mem::transmute()
原始指针解引用

Solidity/智能合约：

solidity

// 高风险模式
用tx.origin进行身份验证  // 易受钓鱼攻击
委托调用不可信合约     // 存储冲突
selfdestruct                  // 永久销毁合约
用block.timestamp生成随机数 // 可被矿工操控

Sharp Edges Checklist

尖锐边缘检查清单

Variant Analysis

变体分析

The Variant Hunting Process

变体排查流程

Identify the Root Cause - Understand WHY a vulnerability exists
Extract the Pattern - What code structure enables it?
Generalize the Pattern - Create regex/AST patterns
Search Codebase - Hunt for similar structures
Validate Findings - Confirm each variant is exploitable

确定根本原因 - 理解漏洞存在的原因
提取模式 - 是什么代码结构导致了漏洞？
泛化模式 - 创建正则表达式/AST模式
搜索代码库 - 排查相似结构
验证发现 - 确认每个变体是否可被利用

Pattern Extraction Templates

模式提取模板

Template 1: Missing Validation Pattern

模板1：缺失验证模式

Original bug: User input flows to SQL query without sanitization
Pattern: [user_input] -> [sink_function] without [validation_function]

Search for:
- Direct database calls with string concatenation
- ORM raw query methods with user parameters
- Similar data flows in adjacent modules

原始漏洞：用户输入未经过滤直接流入SQL查询
模式：[用户输入] -> [ sink函数 ] 未经过 [验证函数]

搜索目标：
- 直接使用字符串拼接的数据库调用
- 带用户参数的ORM原生查询方法
- 相邻模块中的相似数据流

Template 2: Authentication Bypass

模板2：身份验证绕过

Original bug: Endpoint missing auth middleware
Pattern: Route definition without auth decorator/middleware

Search for:
- Routes defined after the vulnerable one
- Similar API patterns in other modules
- Admin/internal endpoints

原始漏洞：端点缺失身份验证中间件
模式：路由定义未使用身份验证装饰器/中间件

搜索目标：
- 漏洞路由之后定义的路由
- 其他模块中的相似API模式
- 管理员/内部端点

Template 3: Race Condition

模板3：竞态条件

Original bug: Check-then-act without atomicity
Pattern: if (check_condition()) { act_on_condition() }

Search for:
- File existence checks followed by file operations
- Permission checks followed by privileged actions
- Balance checks followed by transfers

原始漏洞：无原子性的检查-然后-操作
模式：if (check_condition()) { act_on_condition() }

搜索目标：
- 文件存在检查后执行文件操作
- 权限检查后执行特权操作
- 余额检查后执行转账操作

Search Strategies

搜索策略

Grep-Based Search

基于Grep的搜索

bash

undefined

bash

undefined

Find potential SQL injection

查找潜在SQL注入

grep -rn "execute.%s" --include=".py" grep -rn "query.+" --include=".js"

Find dangerous deserialize

查找危险反序列化操作

grep -rn "pickle.loads|yaml.load|eval(" --include="*.py"

Find command injection vectors

查找命令注入向量

grep -rn "os.system|subprocess.shell=True" --include=".py"

undefined

grep -rn "os.system|subprocess.shell=True" --include=".py"

undefined

Semantic Search (AST-Based)

语义搜索（基于AST）

For more precise matching, use AST-based tools:

Semgrep - Cross-language semantic grep
CodeQL - GitHub's semantic analysis
tree-sitter - Universal parser

如需更精确的匹配，使用基于AST的工具：

Semgrep - 跨语言语义Grep
CodeQL - GitHub的语义分析工具
tree-sitter - 通用解析器

Variant Analysis Report Template

变体分析报告模板

markdown

undefined

markdown

undefined

Variant Analysis Report

变体分析报告

Original Finding

原始发现

ID: FINDING-001
Severity: High
Root Cause: [Description]
Affected File: path/to/file.ext:line

ID: FINDING-001
严重程度: 高
根本原因: [描述]
受影响文件: path/to/file.ext:line

Pattern Extracted

提取的模式

[Code pattern or regex]

[代码模式或正则表达式]

Variants Discovered

发现的变体

#	Location	Severity	Status	Notes
1	file.ext:42	High	Confirmed	Same root cause
2	other.ext:100	Medium	Suspected	Needs validation

#	位置	严重程度	状态	备注
1	file.ext:42	高	已确认	相同根本原因
2	other.ext:100	中	疑似	需要验证

Recommendations

建议

[Systematic fix approach]

undefined

[系统化修复方案]

undefined

Workflow

工作流程

Phase 1: Reconnaissance

阶段1：侦察

Identify technology stack and languages
Map entry points (APIs, CLI, file inputs)
Locate authentication/authorization logic
Find cryptographic operations
Identify external integrations

识别技术栈与编程语言
映射入口点（API、CLI、文件输入）
定位身份验证/授权逻辑
查找加密操作
识别外部集成

Phase 2: Sharp Edges Scan

阶段2：尖锐边缘扫描

Run through sharp edges checklist
Focus on security-critical paths
Document all suspicious patterns
Cross-reference with known CVEs

对照尖锐边缘检查清单进行排查
重点关注安全关键路径
记录所有可疑模式
与已知CVE进行交叉引用

Phase 3: Variant Hunting

阶段3：变体排查

For each finding, extract pattern
Search for variants systematically
Validate each potential variant
Assess aggregate risk

针对每个发现提取模式
系统搜索变体
验证每个潜在变体
评估总体风险

Phase 4: Reporting

阶段4：报告

Consolidate findings by category
Assign severity ratings
Provide remediation guidance
Highlight systemic issues

按类别整理发现
分配严重程度评级
提供修复指导
突出系统性问题

Integration with Static Analysis

与静态分析的集成

Semgrep Rules for Common Patterns

常见模式的Semgrep规则

yaml

undefined

yaml

undefined

Example: Detect SQL injection in Python

示例：检测Python中的SQL注入

rules:

id: sql-injection-format patterns:
- pattern: $CURSOR.execute($QUERY % ...) message: "Potential SQL injection via string formatting" severity: ERROR languages: [python]

undefined

rules:

id: sql-injection-format patterns:
- pattern: $CURSOR.execute($QUERY % ...) message: "Potential SQL injection via string formatting" severity: ERROR languages: [python]

undefined

CodeQL Queries

CodeQL查询

// Find tainted data flowing to dangerous sinks
import python
import semmle.python.dataflow.TaintTracking

from DataFlow::PathNode source, DataFlow::PathNode sink
where TaintTracking::localTaint(source.getNode(), sink.getNode())
  and sink.getNode().asExpr().(Call).getTarget().getName() = "execute"
select sink, source, sink, "Tainted input reaches SQL execution"

// 查找流向危险 sink 的污染数据
import python
import semmle.python.dataflow.TaintTracking

from DataFlow::PathNode source, DataFlow::PathNode sink
where TaintTracking::localTaint(source.getNode(), sink.getNode())
  and sink.getNode().asExpr().(Call).getTarget().getName() = "execute"
select sink, source, sink, "Tainted input reaches SQL execution"

Examples

示例

See the

/examples

folder for:

Real-world sharp edges examples by language
Variant analysis case studies
Pattern extraction walkthroughs

查看

/examples

文件夹获取：

按语言分类的真实世界尖锐边缘示例
变体分析案例研究
模式提取演练

Resources

资源

```
resources/sharp-edges-catalog.md
```
- Comprehensive catalog of dangerous patterns
```
resources/variant-patterns.md
```
- Common vulnerability pattern templates
```
templates/variant-report.md
```
- Report template for variant analysis

```
resources/sharp-edges-catalog.md
```
- 危险模式综合目录
```
resources/variant-patterns.md
```
- 常见漏洞模式模板
```
templates/variant-report.md
```
- 分析报告模板

Guidelines

指南

Always verify - Don't report theoretical issues as confirmed vulnerabilities
Context matters - A pattern may be safe in one context, dangerous in another
Prioritize exploitability - Focus on patterns that lead to real impact
Document assumptions - Note any threat model assumptions
Systemic over point fixes - Recommend architectural improvements when patterns repeat

始终验证 - 不要将理论问题作为已确认漏洞报告
上下文很重要 - 某一模式在某些场景下安全，在其他场景下可能危险
优先关注可利用性 - 关注会产生实际影响的模式
记录假设 - 记录任何威胁模型假设
系统性修复优于单点修复 - 当模式重复出现时，建议进行架构改进

Skill Files

技能文件结构

vulnhunter/
├── SKILL.md                          # This file
├── resources/
│   ├── sharp-edges-catalog.md        # Categorized dangerous patterns
│   └── variant-patterns.md           # Vulnerability pattern templates
├── examples/
│   ├── smart-contracts/              # Solidity/blockchain examples
│   ├── web-apps/                     # Web application examples
│   └── native-code/                  # C/C++/Rust examples
├── templates/
│   └── variant-report.md             # Analysis report template
└── docs/
    └── methodology.md                # Detailed methodology guide

vulnhunter/
├── SKILL.md                          # 本文档
├── resources/
│   ├── sharp-edges-catalog.md        # 分类后的危险模式
│   └── variant-patterns.md           # 漏洞模式模板
├── examples/
│   ├── smart-contracts/              # Solidity/区块链示例
│   ├── web-apps/                     # Web应用示例
│   └── native-code/                  # C/C++/Rust示例
├── templates/
│   └── variant-report.md             # 分析报告模板
└── docs/
    └── methodology.md                # 详细方法论指南