vulnhunter
VulnHunter - Security Vulnerability Detection & Analysis
A comprehensive security audit skill for identifying dangerous APIs, footgun patterns, error-prone configurations, and hunting for vulnerability variants across codebases. Inspired by Trail of Bits' sharp-edges and variant-analysis methodologies.
Overview
VulnHunter combines two powerful security analysis techniques:
- Sharp Edges Detection - Identify error-prone APIs, dangerous defaults, and footgun designs
- Variant Analysis - Find similar vulnerabilities across codebases using pattern-based analysis
When to Use VulnHunter
Activate this skill when:
- Conducting security code reviews or audits
- Reviewing third-party dependencies for dangerous patterns
- Hunting for variants of known vulnerabilities
- Assessing API design for security footguns
- Pre-audit reconnaissance of unfamiliar codebases
Sharp Edges Detection
Categories of Sharp Edges
1. Dangerous Default Configurations
Look for configurations that are insecure by default:
- CORS: Access-Control-Allow-Origin: *
- Debug modes enabled in production
- Default credentials or API keys
- Permissive file permissions (777, 666)
- SSL/TLS verification disabled
- Insecure deserialization settings
2. Error-Prone APIs
Memory Safety:
// Dangerous: No bounds checking
strcpy(), strcat(), sprintf(), gets()
memcpy() without size validation
// Safer alternatives
strncpy(), strncat(), snprintf(), fgets()
memcpy_s() with explicit size
Cryptography Footguns:
- ECB mode encryption
- MD5/SHA1 for security purposes
- Hardcoded IVs or salts
- Custom crypto implementations
- Random without CSPRNG (Math.random for tokens)
Concurrency Issues:
- Race conditions in file operations
- Time-of-check to time-of-use (TOCTOU)
- Double-checked locking anti-patterns
- Non-atomic increment/decrement operations
3. Language-Specific Footguns
JavaScript/TypeScript:
// Dangerous patterns
eval(), new Function(), setTimeout(string)
innerHTML, outerHTML, document.write()
Object.assign() for deep clone (shallow only!)
== instead of === (type coercion)
Python:
# Dangerous patterns
pickle.loads(untrusted) # RCE vector
yaml.load(untrusted) # Use safe_load
exec(), eval()
os.system(), subprocess with shell=True
Rust:
// Patterns requiring extra scrutiny
unsafe { }
.unwrap() in production code
mem::transmute()
raw pointer dereference
Solidity/Smart Contracts:
// High-risk patterns
tx.origin for authentication // Phishing vulnerable
delegatecall to untrusted // Storage collision
selfdestruct // Permanent destruction
block.timestamp for randomness // Miner manipulable
Sharp Edges Checklist
When reviewing code, systematically check for:
- Authentication bypasses - Missing auth checks, default credentials
- Authorization flaws - Privilege escalation, IDOR patterns
- Injection vectors - SQL, Command, Template, XSS
- Cryptographic weaknesses - Weak algorithms, improper key handling
- Resource exhaustion - Unbounded loops, memory allocation
- Race conditions - TOCTOU, concurrent state modification
- Information disclosure - Verbose errors, debug endpoints
- Deserialization - Untrusted data unmarshaling
- Path traversal - User-controlled file paths
- SSRF vectors - User-controlled URLs, redirects
Variant Analysis
The Variant Hunting Process
- Identify the Root Cause - Understand WHY a vulnerability exists
- Extract the Pattern - What code structure enables it?
- Generalize the Pattern - Create regex/AST patterns
- Search Codebase - Hunt for similar structures
- Validate Findings - Confirm each variant is exploitable
Pattern Extraction Templates
Template 1: Missing Validation Pattern
Original bug: User input flows to SQL query without sanitization
Pattern: [user_input] -> [sink_function] without [validation_function]
Search for:
- Direct database calls with string concatenation
- ORM raw query methods with user parameters
- Similar data flows in adjacent modules
Template 2: Authentication Bypass
Original bug: Endpoint missing auth middleware
Pattern: Route definition without auth decorator/middleware
Search for:
- Routes defined after the vulnerable one
- Similar API patterns in other modules
- Admin/internal endpoints
Template 3: Race Condition
Original bug: Check-then-act without atomicity
Pattern: if (check_condition()) { act_on_condition() }
Search for:
- File existence checks followed by file operations
- Permission checks followed by privileged actions
- Balance checks followed by transfers
Search Strategies
Grep-Based Search
# Find potential SQL injection
grep -rn "execute.*%s" --include="*.py"
grep -rn "query.*\+" --include="*.js"
# Find dangerous deserialize
grep -rn "pickle.loads\|yaml.load\|eval(" --include="*.py"
# Find command injection vectors
grep -rn "os.system\|subprocess.*shell=True" --include="*.py"
Semantic Search (AST-Based)
For more precise matching, use AST-based tools:
- Semgrep - Cross-language semantic grep
- CodeQL - GitHub's semantic analysis
- tree-sitter - Universal parser
Variant Analysis Report Template
## Variant Analysis Report
### Original Finding
- **ID**: FINDING-001
- **Severity**: High
- **Root Cause**: [Description]
- **Affected File**: path/to/file.ext:line
### Pattern Extracted
[Code pattern or regex]
### Variants Discovered
| # | Location | Severity | Status | Notes |
|---|----------|----------|--------|-------|
| 1 | file.ext:42 | High | Confirmed | Same root cause |
| 2 | other.ext:100 | Medium | Suspected | Needs validation |
### Recommendations
[Systematic fix approach]
Workflow
Phase 1: Reconnaissance
- Identify technology stack and languages
- Map entry points (APIs, CLI, file inputs)
- Locate authentication/authorization logic
- Find cryptographic operations
- Identify external integrations
Phase 2: Sharp Edges Scan
- Run through sharp edges checklist
- Focus on security-critical paths
- Document all suspicious patterns
- Cross-reference with known CVEs
Phase 3: Variant Hunting
- For each finding, extract pattern
- Search for variants systematically
- Validate each potential variant
- Assess aggregate risk
Phase 4: Reporting
- Consolidate findings by category
- Assign severity ratings
- Provide remediation guidance
- Highlight systemic issues
Integration with Static Analysis
Semgrep Rules for Common Patterns
# Example: Detect SQL injection in Python
rules:
- id: sql-injection-format
patterns:
- pattern: $CURSOR.execute($QUERY % ...)
message: "Potential SQL injection via string formatting"
severity: ERROR
languages: [python]
CodeQL Queries
// Find tainted data flowing to dangerous sinks
import python
import semmle.python.dataflow.TaintTracking
from DataFlow::PathNode source, DataFlow::PathNode sink
where TaintTracking::localTaint(source.getNode(), sink.getNode())
and sink.getNode().asExpr().(Call).getTarget().getName() = "execute"
select sink, source, sink, "Tainted input reaches SQL execution"
Examples
See the /examples folder for:
- Real-world sharp edges examples by language
- Variant analysis case studies
- Pattern extraction walkthroughs
Resources
resources/sharp-edges-catalog.md- Comprehensive catalog of dangerous patternsresources/variant-patterns.md- Common vulnerability pattern templatestemplates/variant-report.md- Report template for variant analysis
Guidelines
- Always verify - Don't report theoretical issues as confirmed vulnerabilities
- Context matters - A pattern may be safe in one context, dangerous in another
- Prioritize exploitability - Focus on patterns that lead to real impact
- Document assumptions - Note any threat model assumptions
- Systemic over point fixes - Recommend architectural improvements when patterns repeat
Skill Files
vulnhunter/
├── SKILL.md # This file
├── resources/
│ ├── sharp-edges-catalog.md # Categorized dangerous patterns
│ └── variant-patterns.md # Vulnerability pattern templates
├── examples/
│ ├── smart-contracts/ # Solidity/blockchain examples
│ ├── web-apps/ # Web application examples
│ └── native-code/ # C/C++/Rust examples
├── templates/
│ └── variant-report.md # Analysis report template
└── docs/
└── methodology.md # Detailed methodology guide
More from sendaifun/skills
helius
Build Solana applications with Helius infrastructure. Covers transaction sending (Sender), asset/NFT queries (DAS API), real-time streaming (WebSockets, Laserstream), event pipelines (webhooks), priority fees, wallet analysis, and agent onboarding.
216solana-kit
Complete guide for @solana/kit - the modern, tree-shakeable, zero-dependency JavaScript SDK from Anza. Covers RPC connections, signers, transaction building with pipe, signing, sending, and account fetching with full TypeScript support.
203pumpfun
Complete PumpFun Protocol guide for building token launches, bonding curves, and AMM integrations on Solana. Covers Pump Program (token creation, buy/sell on bonding curves), PumpSwap AMM (liquidity pools, swaps), fee structures, creator fees, and SDK integration.
166meteora
Complete Meteora DeFi SDK suite for building liquidity pools, AMMs, bonding curves, vaults, token launches, and zap operations on Solana. Use when integrating DLMM, DAMM v2, DAMM v1, Dynamic Bonding Curves, Alpha Vaults, Zap, or Stake-for-Fee functionality.
165raydium
Complete Raydium Protocol SDK - the single source of truth for integrating Raydium on Solana. Covers SDK, Trade API, CLMM, CPMM, AMM pools, LaunchLab token launches, farming, CPI integration, and all Raydium tools.
145coingecko
Complete CoinGecko Solana API integration for token prices, DEX pool data, OHLCV charts, trades, and market analytics. Use for building trading bots, portfolio trackers, price feeds, and on-chain data applications.
141