mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-18 13:39:40 +03:00
Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills
Complete skill folder anatomy across all cybersecurity skills: - scripts/agent.py: 80-150 line Python agents using real libraries (impacket, boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.) - references/api-reference.md: real API documentation with method signatures - LICENSE: MIT license for all skill folders
This commit is contained in:
+76
@@ -0,0 +1,76 @@
|
||||
# API Reference: Detecting Broken Object Property Level Authorization
|
||||
|
||||
## OWASP API3:2023 Classification
|
||||
|
||||
| Category | Description |
|
||||
|----------|-------------|
|
||||
| Excessive Data Exposure | API returns more properties than client needs |
|
||||
| Mass Assignment | API accepts more properties than intended |
|
||||
| CWE-213 | Exposure of Sensitive Information Due to Incompatible Policies |
|
||||
| CWE-915 | Improperly Controlled Modification of Dynamically-Determined Object Attributes |
|
||||
|
||||
## Python requests Library
|
||||
|
||||
```python
|
||||
import requests
|
||||
|
||||
# GET - test for excessive exposure
|
||||
resp = requests.get(url, headers={"Authorization": f"Bearer {token}"}, timeout=10)
|
||||
resp.status_code # 200, 401, 403
|
||||
resp.json() # parsed response body
|
||||
|
||||
# PUT - test for mass assignment
|
||||
resp = requests.put(url, json={"role": "admin"}, headers=headers, timeout=10)
|
||||
|
||||
# PATCH - test for partial mass assignment
|
||||
resp = requests.patch(url, json={"is_admin": True}, headers=headers, timeout=10)
|
||||
```
|
||||
|
||||
## Sensitive Field Patterns
|
||||
|
||||
| Severity | Fields |
|
||||
|----------|--------|
|
||||
| Critical | password, password_hash, secret, token, api_key, private_key |
|
||||
| High | ssn, credit_card, card_number, cvv, bank_account |
|
||||
| Medium | salary, role, permissions, is_admin, session_id |
|
||||
| Low | phone, address, date_of_birth, gender |
|
||||
|
||||
## Mass Assignment Test Payloads
|
||||
|
||||
```json
|
||||
{"role": "admin"}
|
||||
{"is_admin": true}
|
||||
{"is_verified": true}
|
||||
{"account_type": "premium"}
|
||||
{"discount_rate": 100}
|
||||
{"permissions": ["admin", "write", "delete"]}
|
||||
```
|
||||
|
||||
## Burp Suite Extensions
|
||||
|
||||
```
|
||||
# Autorize - test authorization across roles
|
||||
# Param Miner - discover hidden parameters
|
||||
# JSON Beautifier - inspect response properties
|
||||
```
|
||||
|
||||
## CLI Usage
|
||||
|
||||
```bash
|
||||
python agent.py --base-url https://api.example.com \
|
||||
--endpoint /api/v1/users/123 \
|
||||
--token "eyJhbGciOiJIUzI1NiJ9..." \
|
||||
--expected-fields id username name email \
|
||||
--test both --method PUT
|
||||
```
|
||||
|
||||
## Mitigation Patterns
|
||||
|
||||
```python
|
||||
# Allowlist serialization (Django REST Framework)
|
||||
class UserSerializer(serializers.ModelSerializer):
|
||||
class Meta:
|
||||
model = User
|
||||
fields = ['id', 'username', 'name'] # explicit allowlist
|
||||
read_only_fields = ['id', 'role', 'is_admin']
|
||||
```
|
||||
Reference in New Issue
Block a user