pentest-whitebox-code-review

Source code security audit using backward taint analysis, slot type classification, render context verification, and 3-phase parallel review producing an exploitation queue.

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "pentest-whitebox-code-review" with this command: npx skills add jd-opensource/joysafeter/jd-opensource-joysafeter-pentest-whitebox-code-review

Pentest Whitebox Code Review

Purpose

Perform systematic white-box source code security audit using Shannon's backward taint analysis methodology. Traces from dangerous sinks back to user-controlled sources, classifies injection contexts by slot type, verifies XSS render contexts, and produces a prioritized exploitation queue for downstream proof-driven exploitation.

Prerequisites

Authorization Requirements

  • Written authorization with explicit scope for source code review
  • Source code access — full repository with version control history
  • Architecture documentation if available (data flow diagrams, API specs)
  • Deployment configuration access (environment variables, secrets management)

Environment Setup

  • semgrep with custom rules for taint analysis
  • CodeQL database built for target language
  • ripgrep for fast pattern searching
  • jadx for Android APK decompilation (if applicable)
  • Source map extraction tools for minified JavaScript
  • AST parsing tools for target language (tree-sitter, babel, etc.)

Core Workflow

Phase 1: Discovery

  1. Architecture Mapping: Identify application layers (routing, controllers, services, data access, templates). Map data flow from HTTP entry points through business logic to database/file/external sinks.
  2. Entry Point Enumeration: Catalog all user-controlled input sources — HTTP parameters, headers, cookies, file uploads, WebSocket messages, environment variables, database reads of user-stored data.
  3. Security Pattern Inventory: Identify existing security controls — input validation functions, output encoding helpers, parameterized query patterns, CSRF protections, authentication middleware, rate limiters.

Phase 2: Vulnerability Analysis (5 Parallel Tracks)

  1. Injection Sink Hunting: Backward taint from SQL/command/file/template sinks to sources. Classify each sink by slot type: SQL-val, SQL-ident, CMD-argument, FILE-path, TEMPLATE-expr. Verify whether parameterization or sanitization breaks the taint chain.
  2. XSS Render Context Analysis: Identify all dynamic output points in templates/responses. Classify each by render context: HTML_BODY, HTML_ATTRIBUTE, JAVASCRIPT_STRING, URL_PARAM, CSS_VALUE. Verify context-appropriate encoding is applied at each output point.
  3. Authentication Checklist (9-point): Transport security, rate limiting, session management, token properties, session fixation resistance, password policy enforcement, login response uniformity, account recovery security, SSO/OAuth implementation.
  4. Authorization Model Review (3-type): Horizontal (same-role cross-user access), vertical (privilege escalation across roles), context-workflow (state-dependent authorization bypass).
  5. SSRF Sink Hunting: Identify all outbound request sinks. Classify by type: classic (direct URL), blind (no response), semi-blind (partial response), stored (deferred execution). Trace URL construction from user input to request dispatch.

Phase 3: Synthesis

  1. Confidence Scoring & Exploitation Queue: Score each finding by taint chain completeness, sanitization bypass likelihood, and impact severity. Generate exploitation queue JSON for downstream exploit validation.

Slot Type Classification

Slot TypeSink PatternSanitization Required
SQL-valQuery parameter value positionParameterized query / prepared statement
SQL-identTable name, column name, ORDER BYAllowlist validation
CMD-argumentShell command argumentArgument escaping + allowlist
FILE-pathFile read/write path constructionPath canonicalization + allowlist
TEMPLATE-exprTemplate engine expressionContext-aware auto-escaping

Render Context Classification

ContextOutput LocationEncoding Required
HTML_BODYBetween HTML tagsHTML entity encoding
HTML_ATTRIBUTEInside attribute valuesAttribute encoding + quoting
JAVASCRIPT_STRINGInside JS string literalsJavaScript Unicode escaping
URL_PARAMURL query parameter valuesURL percent encoding
CSS_VALUEInside CSS property valuesCSS hex encoding

Tool Categories

CategoryToolsPurpose
Taint Analysissemgrep, CodeQLAutomated sink-to-source taint tracing
Pattern Searchripgrep, ast-grepFast code pattern matching
Decompilationjadx, sourcemap-extractRecover source from compiled artifacts
AST Parsingtree-sitter, babelLanguage-aware code structure analysis
Dependency Auditnpm audit, pip-audit, snykKnown vulnerability detection

References

  • references/tools.md - Tool function signatures and parameters
  • references/workflows.md - Taint analysis workflows and vulnerability patterns

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Security

pentest-ai-llm-security

No summary provided by upstream source.

Repository SourceNeeds Review
-30
jd-opensource
General

pentest-mobile-app

No summary provided by upstream source.

Repository SourceNeeds Review
-38
jd-opensource
General

pentest-osint-recon

No summary provided by upstream source.

Repository SourceNeeds Review
-38
jd-opensource