<< All versions
Skill v1.0.0
currentAutomated scan100/100vibeeval/vibecosystem/security
──Details
PublishedApril 29, 2026 at 10:23 PM
Content Hashsha256:7b340efb063574b4...
Git SHA6172d4ac24fc
──Files
Files (1 file, 3.2 KB)
SKILL.md3.2 KBactive
SKILL.md · 108 lines · 3.2 KB
version: "1.0.0" name: security description: Security audit workflow - OWASP Top 10, input validation, auth, secret detection, vulnerability scan
Security Patterns
OWASP Top 10 (2021) Checklist
| # | Vulnerability | Prevention | |
|---|---|---|---|
| A01 | Broken Access Control | RBAC, resource-level auth, CORS | |
| A02 | Cryptographic Failures | Encrypt at rest/transit, no PII in logs | |
| A03 | Injection (SQL/NoSQL/XSS/OS) | Parameterized queries, output encoding, CSP | |
| A04 | Insecure Design | Threat modeling, secure design patterns | |
| A05 | Security Misconfiguration | Hardened defaults, no debug in prod | |
| A06 | Vulnerable Components | npm audit, dependency scan, CVE tracking | |
| A07 | Auth Failures | Rate limiting, MFA, secure session | |
| A08 | Data Integrity Failures | Input validation, signed updates, CI/CD security | |
| A09 | Logging & Monitoring Failures | Audit log, alert on anomaly | |
| A10 | SSRF | URL allowlist, network segmentation |
Input Validation
typescript
import { z } from 'zod';const UserInput = z.object({email: z.string().email().max(255),name: z.string().min(1).max(100).regex(/^[\w\s-]+$/),age: z.number().int().min(0).max(150),});// Parameterized query (SQL injection prevention)const user = await db.query('SELECT * FROM users WHERE id = $1', [userId]);
Auth Best Practices
typescript
// Password hashingimport bcrypt from 'bcryptjs';const hash = await bcrypt.hash(password, 12);const valid = await bcrypt.compare(password, hash);// JWT with expiryconst token = jwt.sign({ userId: user.id, role: user.role }, secret, { expiresIn: '24h' });// Rate limiting on auth endpointsconst authLimiter = rateLimit({ windowMs: 15 * 60 * 1000, max: 5 });app.use('/api/auth', authLimiter);
Secret Detection
bash
# Git hooks ile secret engellemegrep -rn "sk-\|pk_\|ghp_\|xoxb-\|AKIA" --include="*.ts" --include="*.js" src/grep -rn "password\s*=\s*['\"]" --include="*.ts" src/
Security Headers
typescript
import helmet from 'helmet';app.use(helmet());// Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, etc.
Anti-Patterns
| Anti-Pattern | Cozum | |
|---|---|---|
| Hardcoded secrets | Environment variables | |
| SQL string concat | Parameterized queries | |
| No CORS config | Whitelist origins | |
| Debug mode in prod | NODE_ENV check | |
| No rate limiting | express-rate-limit |
Pentest Methodology (Overview)
Detayli rehber icin: pentest-methodology skill
5-faz pipeline: Recon > Vuln Analysis > Exploitation > Verification > Report
Proof Levels
| Level | Tanim | |
|---|---|---|
| L1 - Theoretical | Potansiyel risk, exploit edilmemis | |
| L2 - Demonstrated | Bypass/leak gosterildi | |
| L3 - Exploited | Tam exploit, veri erisimi | |
| L4 - Chained | Birden fazla vuln zincirlendi |
Source-to-Sink Taint Tracing
Kullanici input'unun (source) tehlikeli fonksiyona (sink) ulasip ulasamadigini kontrol et:
Source: req.body, req.query, req.params, req.headers, cookiesSink: db.query(), eval(), exec(), res.redirect(), innerHTMLKontrol: Source ile Sink arasinda sanitizasyon/validasyon var mi?
Bu yaklasimi her code review'da auth/data islerinde kullan.