Exploit for Web-Security-Audit-Skill

Name: Exploit for Web-Security-Audit-Skill
Rating: 5 (4 reviews)
2026-06-20 | CVSS 6.3
## https://sploitus.com/exploit?id=EBBC7019-30C8-5C4F-A020-88763BC8166B
---

## Features

- **Multi-language support**: Automatic identification and scanning of PHP, Java, Python, Go source codes.
- **60+ detection rules**: Based on regular expression matching, covering 12 common types of web vulnerabilities.
- **Automatic language detection**: Intelligently identifies the language based on file extensions, without manual configuration.
- **Structured reports**: Generates `Security.md`, including details about vulnerabilities, root cause analysis, repair suggestions, and PoC scripts.
- **Runnable PoCs**: Each vulnerability comes with a Python 3 validation script for easy reproduction and verification.
- **Multiple output formats**: Supports Markdown reports and JSON summaries.
- **Intelligent exclusion**: Automatically skips irrelevant directories like `node_modules`, `vendor`, `.git`, and `__pycache__`.

---

## Vulnerability Coverage

| No. | Vulnerability Type | CWE | Severity | Description |
|---|-------------------|----|---------|-------------|
| 1 | SQL Injection | CWE-89 | Critical | SQL query with unvalidated user input; no parameterization |
| 2 | Command Injection/RCE | CWE-78 | Critical | User input passed to functions like `system()`, `exec()`, and `subprocess()` |
| 3 | Cross-Site Scripting (XSS) | CWE-79 | High | Unescaped user input directly rendered in HTML |
| 4 | Unsafe Deserialization | CWE-502 | Critical | Functions like `unserialize()`, `pickle.loads()`, and `readObject()` handling user data |
| 5 | Server-Side Request Forgery (SSRF) | CWE-918 | High | User-controlled URLs used for server-side HTTP requests |
| 6 | XML External Entities (XXE) | CWE-611 | High | XML parsing with enabled external entities |
| 7 | Path Traversal | CWE-22 | High | User input used for file path concatenation |
| 8 | Server-Side Template Injection (SSTI) | CWE-1336 | Critical | User input passed to template rendering |
| 9 | Unsafe File Upload | CWE-434 | High | Unvalidated file types or content during upload |
| 10 | Open Redirection | CWE-601 | Medium | Redirect targets controlled by user input |
| 11 | Hardcoded Credentials | CWE-798 | High | Hardcoded API keys, tokens, passwords in code |
| 12 | Exposed Sensitive Endpoints | CWE-200 | Medium | Exposing endpoints like Spring Actuator and Django Debug |

---

## Project Structure

```
web-security-audit-skills/
├── SKILL.md                # Definition file for skills (trigger conditions, workflow, rule references)
├── README.md               # Project documentation (this file)
├── scripts/
    ├── main.py             # Main entry point, command-line parsing and workflow
    ├── engine.py           # Audit engine, file collection and scanning scheduling
    ├── rules.py            # Detection rule library, regular expressions for various languages
    └── security_md.py      # Report generator, responsible for generating `Security.md` and PoC templates
```

---

## Environment Requirements

- **Python**: 3.8 or higher
- **Dependencies**: Standard libraries are used; no need to install additional third-party packages
- **Operating Systems**: Windows, macOS, Linux are all supported

---

## Quick Start

### Basic Usage

```bash
python scripts/main.py
```

### Scanning Specific Languages

```bash
python scripts/main.py /path/to/php-project --lang php
```

### Specifying Output Path

```bash
python scripts/main.py /path/to/project --output /tmp/Security.md
```

### Generating a JSON Summary

```bash
python scripts/main.py /path/to/project --output /tmp/Security.md --format json
```

```
bash
python scripts/main.py /path/to/project --json
```

### Complete Example

```
bash
python scripts/main.py ./my-go-project --lang go --output Security.md --json
```

---

## Command Line Parameters

| Parameter | Description | Default Value |
|----------|--------------|-------------|
| `target` | Path to the source code directory to be scanned (Required) | — |
| `--lang` | Specifies the language: `php`, `java`, `python`, `go` | Automatically detected |
| `--output` | Output file path: `Security.md` | Current working directory |
| `--json` | Generates a JSON summary file | No |

---

## Workflow

1. **Determine the scope**: Specify the target directories to be scanned.
2. **Collect files**: Recursively traverse the directories, filter source files by suffix, and automatically exclude dependency and build directories.
3. **Language identification**: Automatically determine the language based on the file suffix (or use `--lang` to specify manually).
4. **Rule application**: Apply detection rules for each file, scanning them line by line.
5. **Result aggregation**: Classify and count results by severity level: Critical, High, Medium, Low.
6. **Generate report**: Output `Security.md`, which includes an execution summary, vulnerability distribution, detailed findings, and proof of concept (PoC).

### Supported File Suffixes

| Language | Suffixes |
|----------|------------|
| PHP | `.php`, `.phtml`, `.php3`, `.php4`, `.php5`, `.inc` |
| Java | `.java`, `.jsp`, `.jspx` |
| Python | `.py`, `.pyw`, `.html`, `.jinja2`, `.j2` |
| Go | `.go` |

### Automatically Excluded Directories

`node_modules`, `vendor`, `.git`, `__pycache__`, `.venv`, `venv`, `.idea`, `.vscode`, `dist`, `build`, `target`, `__mvn`, `__gradle`, `egg-info`, `.egg`, `.tox`

---

## Reference for Detection Rules

### PHP Rules

| Rule ID | Category | Matching Pattern |
|----------|----------|---------------|
| PHP-SQLI-001 | SQL Injection | `mysql_query(` / `->query(` with `$` variable in query string`) |
| PHP-XSS-001 | XSS | `echo $_GET`, `print $_POST`, `loadXML($)` |
| PHP-REDIR-001 | Redirection | `header("Location: ".$_GET)` |

### Java Rules

| Rule ID | Category | Matching Pattern |
|----------|----------|---------------|
| JAVA-SQLI-001 | SQL Injection | `createStatement()`, `executeQuery("SELECT...+")` |
| JAVA-XSS-001 | XSS | `response.getWriter().print(request.get)`, `response.print(request.get)` |
| JAVA-RCE-001 | Command Injection | `Runtime.getRuntime().exec(request.get)` |
| JAVA-DESER-001 | Deserialization | `ObjectInputStream(request)`, `readObject()` |
| JAVA-SSRF-001 | SSRF | `HttpURLConnection`, `RestTemplate` containing user URLs |
| JAVA-XXE-001 | XXE | `DocumentBuilderFactory.newInstance()` |
| JAVA-PATH-001 | Path Traversal | `new File(request.get)`, `Paths.get(request.get)` |
| JAVA-ACT-001 | Actuator Exposure | `endpoints.web.exposure.include=*` |

### Python Rules

| Rule ID | Category | Matching Pattern |
|----------|----------|---------------|
| PY-SQLI-001 | SQL Injection | `.execute(f"...request)", `.execute("...%s" % request)` |
| PY-XSS-001 | XSS | `\|safe`, `mark_safe(request)`, `render_template_string(request)` |

| PY-RCE-001 | Command Injection | `os.system(request` / `subprocess.run(request` / `eval(request`) |
|PY-SSTI-001 | SSTI | `render_template_string(request` / `Template(request)` |
|PY-DESER-001 | Deserialization | `pickle.loads(request` / `yaml.load(request)` |
|PY-SSRF-001 | SSRF | `requests.get(request` / `urlopen(request)` |
|PY-PATH-001 | Path Traversal | `open(request` / `send_file(request)` |
|PY-SECRET-001 | Django Secret | `SECRET_KEY = '...'` Hardcoded |

### Go Rules

| Rule ID | Category | Matching Patterns |
|---------|------|---------------|
|GO-SQLI-001 | SQL Injection | `fmt.Sprintf("SELECT...%s"` / `db.Query("SELECT..."+`) |
|GO-XSS-001 | XSS | `w.Write([]byte(r.` / `fmt.Fprintf(w, r.`) |
|GO-RCE-001 | Command Injection | `exec.Command(r.` / `exec.CommandContext(ctx, r.` |
|GO-SSTI-001 | SSTI | `template.New(r.` / `.Execute(w, r.)` |
|GO-SSRF-001 | SSRF | `http.Get(r.` / `http.NewRequest(r.)` |
|GO-PATH-001 | Path Traversal | `os.Open(r.` / `ioutil.ReadFile(r.)` |

---

## Report Example

After scanning is completed, the `Security.md` report structure is as follows:

```markdown
# Security Audit Report — ProjectName

**Generated:** 2026-06-20 10:00:00
**Scanner:** Marvis Web Security Audit Skill
**Languages:** PHP / Java / Python / Go

---

## 1. Executive Summary

| Metric | Value |
|--------|-------|
| Scanned Files | 42 |
| Total Findings | 15 |
| Critical | 3 |
| High | 7 |
| Medium | 4 |
| Low | 1 |

## 2. Vulnerability Distribution

| Category | Count |
|----------|-------|
| SQL Injection | 5 |
| Cross-Site Scripting (XSS) | 4 |
| ... | ... |

## 3. Detailed Findings

### Critical Severity

#### SQL Injection

##### [1] PHP-SQLI-001 — login.php

- **Rule ID:** `PHP-SQLI-001`
- **CWE:** [CWE-89](https://cwe.mitre.org/data/definitions/89.html)
- **Category:** SQL Injection
- **Severity:** Critical

**Vulnerable Location:**
```
File : /path/to/login.php
Line : 12
Code : $sql = "SELECT * FROM users WHERE id=".$_GET['id'];`
```

**Root Cause:**
User input is concatenated into the SQL query without using parameterized queries or prepared statements.

**Remediation:**
1. Use PDO prepared statements
2. Validate user input

**Exploit (PoC):**
```python
#!/usr/bin/env python3
"""SQL Injection PoC"""
import requests
# ... executable validation script ... ```
```

---

## Disclaimer

This tool is used only for **authorized security testing and code audits**. Before using it, please ensure that:

1. You have legal ownership of the target code or have obtained written permission.
2. You use this tool for security assessments in accordance with laws and regulations.
3. The generated PoC scripts are used only for verifying vulnerability presence and should not be used for illegal intrusions.
4. Before testing in a production environment, fully assess the potential impacts.

The author assumes no responsibility for any consequences arising from the improper use of this tool.