mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-11 21:54:56 +03:00

Files

T

mukul975 27c6414ca5 Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills

Complete skill folder anatomy across all cybersecurity skills:
- scripts/agent.py: 80-150 line Python agents using real libraries (impacket,
  boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.)
- references/api-reference.md: real API documentation with method signatures
- LICENSE: MIT license for all skill folders

2026-03-10 21:02:12 +01:00

2.1 KiB

Raw Blame History

API Reference: Detecting Broken Object Property Level Authorization

OWASP API3:2023 Classification

Category	Description
Excessive Data Exposure	API returns more properties than client needs
Mass Assignment	API accepts more properties than intended
CWE-213	Exposure of Sensitive Information Due to Incompatible Policies
CWE-915	Improperly Controlled Modification of Dynamically-Determined Object Attributes

Python requests Library

import requests

# GET - test for excessive exposure
resp = requests.get(url, headers={"Authorization": f"Bearer {token}"}, timeout=10)
resp.status_code  # 200, 401, 403
resp.json()       # parsed response body

# PUT - test for mass assignment
resp = requests.put(url, json={"role": "admin"}, headers=headers, timeout=10)

# PATCH - test for partial mass assignment
resp = requests.patch(url, json={"is_admin": True}, headers=headers, timeout=10)

Sensitive Field Patterns

Severity	Fields
Critical	password, password_hash, secret, token, api_key, private_key
High	ssn, credit_card, card_number, cvv, bank_account
Medium	salary, role, permissions, is_admin, session_id
Low	phone, address, date_of_birth, gender

Mass Assignment Test Payloads

{"role": "admin"}
{"is_admin": true}
{"is_verified": true}
{"account_type": "premium"}
{"discount_rate": 100}
{"permissions": ["admin", "write", "delete"]}

Burp Suite Extensions

# Autorize - test authorization across roles
# Param Miner - discover hidden parameters
# JSON Beautifier - inspect response properties

CLI Usage

python agent.py --base-url https://api.example.com \
  --endpoint /api/v1/users/123 \
  --token "eyJhbGciOiJIUzI1NiJ9..." \
  --expected-fields id username name email \
  --test both --method PUT

Mitigation Patterns

# Allowlist serialization (Django REST Framework)
class UserSerializer(serializers.ModelSerializer):
    class Meta:
        model = User
        fields = ['id', 'username', 'name']  # explicit allowlist
        read_only_fields = ['id', 'role', 'is_admin']

2.1 KiB Raw Blame History

API Reference: Detecting Broken Object Property Level Authorization

OWASP API3:2023 Classification

Python requests Library

Sensitive Field Patterns

Mass Assignment Test Payloads

Burp Suite Extensions

CLI Usage

Mitigation Patterns

2.1 KiB

Raw Blame History