Add five security skills: OAuth, AWS, prototype pollution, deserialization, Django#617
Conversation
a27dbab to
e990aee
Compare
Expand coverage with OAuth flow testing, AWS misconfigurations, prototype pollution, insecure deserialization, and Django framework playbooks.
Greptile SummaryAdds five new security skill markdown files across the
Confidence Score: 5/5All five files are documentation-only skill markdown files with no executable code paths; merging carries no runtime risk. The change is entirely additive markdown content. The skill loader strips frontmatter and reads file stems for registration, so none of the minor wording or naming observations affect how the skills load or validate. The technical content across all five files is accurate and well-structured. The JWT wording in strix/skills/frameworks/django.md is the only content-accuracy nit worth a second look before merging. Important Files Changed
Reviews (2): Last reviewed commit: "Clarify S3 existence vs public listing c..." | Re-trigger Greptile |
e990aee to
100f561
Compare
- Use head-bucket for S3 existence checks instead of duplicating s3 ls - Add Node.js to insecure_deserialization frontmatter description
rajpratham1
left a comment
There was a problem hiding this comment.
Thanks for contributing these security skills. The structure is consistent across all documents and the coverage is comprehensive, making them easy to consume. I only have one minor suggestion: in aws.md, the unauthenticated enumeration section should more clearly distinguish bucket existence checks (head-bucket/HTTP status) from public listing (aws s3 ls). Aside from that clarification, the content looks well organized and valuable.
Split unauthenticated enumeration into separate head-bucket/HTTP and s3 ls steps with interpretation guidance per review.
|
Thanks for the review, @rajpratham1! Addressed in d84930d — the unauthenticated enumeration section in
Ready for another look when you have a moment. |
|
LGTM thanks @Ayush7614, added a few tools |
Summary
Adds five new community skills that were missing from the repository:
protocols/oauth— OAuth 2.0 / OIDC flow testing (redirect URI manipulation, PKCE bypass, token confusion, state/nonce CSRF)cloud/aws— AWS security (S3 exposure, IAM escalation, IMDS abuse, Cognito/Lambda misconfigs)vulnerabilities/prototype_pollution— Client/server prototype pollution with Node.js gadget guidancevulnerabilities/insecure_deserialization— Java, Python, PHP, .NET deserialization and gadget chainsframeworks/django— Django/DRF testing (ORM injection, permissions, CSRF, sessions, admin)Each skill follows the existing format: YAML frontmatter, attack surface, methodology, techniques, bypass methods, validation, and false-positive guidance.
Verification
get_all_skill_names()validate_requested_skills()passes for each skillload_skills()loads full content with required sectionsprotocols,cloud,vulnerabilities,frameworks)Test plan
skills="oauth,business_logic"to confirm prompt injection