MCP HubMCP Hub
Back to Skills

Static Vulnerability Analysis

macaugh
Updated Today
14 views
2
2
View on GitHub
Developmentgeneral

About

This skill performs static vulnerability analysis by examining source code without execution to identify security flaws. It combines automated pattern matching with manual code review to find issues like memory safety problems and logic flaws. Use it when source code is available, before dynamic testing, or during security code reviews for languages including C/C++, Java, Python, JavaScript, and PHP.

Documentation

Static Vulnerability Analysis

Overview

Static analysis examines source code without executing it, identifying security vulnerabilities through pattern matching, data flow analysis, and manual code review. This technique is essential for finding logic flaws, authentication bypasses, and subtle vulnerabilities that automated tools might miss.

Core principle: Combine automated tools with manual review. Tools find patterns; humans find logic flaws.

Common Vulnerability Patterns

Memory Safety Issues (C/C++)

// Buffer Overflow
char buffer[256];
strcpy(buffer, user_input);  // ❌ Unsafe
strncpy(buffer, user_input, sizeof(buffer)-1);  // ✓ Safer

// Integer Overflow
size_t alloc = user_count * item_size;  // ❌ Can overflow
void *ptr = malloc(alloc);

// Use After Free
free(ptr);
ptr->field = value;  // ❌ Use after free

// Double Free
free(ptr);
free(ptr);  // ❌ Double free

Injection Vulnerabilities

# SQL Injection
query = f"SELECT * FROM users WHERE name = '{user_input}'"  # ❌
cursor.execute(query)

# Safe: Parameterized queries
cursor.execute("SELECT * FROM users WHERE name = ?", (user_input,))  # ✓

# Command Injection
os.system(f"ping {user_input}")  # ❌

# Safe: Use subprocess with list
subprocess.run(["ping", user_input])  # ✓

# Path Traversal
filepath = f"/data/{user_filename}"  # ❌ ../../../etc/passwd
open(filepath, 'r')

# Safe: Validate and use os.path.join with validation

Authentication and Authorization

# Broken Authentication
if username == "admin" and password == config.ADMIN_PASSWORD:  # ❌ Timing attack
    grant_access()

# Better: Use constant-time comparison
import hmac
if hmac.compare_digest(username, "admin") and \
   hmac.compare_digest(password, config.ADMIN_PASSWORD):
    grant_access()

# Authorization Bypass
def get_user_data(user_id):
    # ❌ No authorization check
    return database.get_user(user_id)

# Better: Check authorization
def get_user_data(user_id):
    if current_user.id != user_id and not current_user.is_admin:
        raise UnauthorizedException()
    return database.get_user(user_id)

Automated Tools

# Semgrep - Pattern-based analysis
semgrep --config=auto /path/to/source

# Bandit - Python security linter
bandit -r /path/to/python/code

# ESLint with security plugins - JavaScript
eslint --plugin security /path/to/js

# Brakeman - Ruby on Rails
brakeman /path/to/rails/app

# FindSecBugs - Java
# SpotBugs with FindSecBugs plugin

# SonarQube - Multi-language
sonar-scanner

Manual Review Checklist

  • Input validation on all user-controlled data
  • Authentication mechanisms (session management, password storage)
  • Authorization checks (IDOR, privilege escalation)
  • Cryptographic implementations (weak algorithms, hardcoded keys)
  • Error handling (information disclosure)
  • Business logic flaws
  • Race conditions and time-of-check-time-of-use
  • Sensitive data exposure (logs, error messages)

Data Flow Analysis

# Trace tainted data from source to sink
# SOURCE: User input
# SINK: Dangerous operation

# Example:
user_input = request.GET['file']  # SOURCE
# ... no validation ...
content = open(user_input).read()  # SINK

# Finding: Path traversal vulnerability
# No validation between source and sink

Integration with Other Skills

  • skills/analysis/zero-day-hunting - Comprehensive vulnerability research
  • skills/exploitation/exploit-dev-workflow - Exploitation of found vulnerabilities
  • skills/documentation/* - Document findings

Quick Install

/plugin add https://github.com/macaugh/super-rouge-hunter-skills/tree/main/static-vuln-analysis

Copy and paste this command in Claude Code to install this skill

GitHub 仓库

macaugh/super-rouge-hunter-skills
Path: skills/analysis/static-vuln-analysis

Related Skills

analyzing-dependencies

Meta

This skill analyzes project dependencies for security vulnerabilities, outdated packages, and license compliance issues. It helps developers identify potential risks in their dependencies using the dependency-checker plugin. The skill supports popular package managers including npm, pip, composer, gem, and Go modules.

View skill

work-execution-principles

Other

This Claude Skill establishes core development principles for work breakdown, scope definition, testing strategies, and dependency management. It provides a systematic approach for code reviews, planning, and architectural decisions to ensure consistent quality standards across all development activities. The skill is universally applicable to any programming language or framework when starting development work or planning implementation approaches.

View skill

Git Commit Helper

Meta

This Claude Skill generates descriptive commit messages by analyzing git diffs. It automatically follows conventional commit format with proper types like feat, fix, and docs. Use it when you need help writing commit messages or reviewing staged changes in your repository.

View skill

subagent-driven-development

Development

This skill executes implementation plans by dispatching a fresh subagent for each independent task, with code review between tasks. It enables fast iteration while maintaining quality gates through this review process. Use it when working on mostly independent tasks within the same session to ensure continuous progress with built-in quality checks.

View skill