ark-pentest-issue-resolver

Ark Penetration Test Issue Resolver

Provides detection patterns, mitigation strategies, and fixes for common penetration testing issues found in the Ark platform.

When to use this skill

Use this skill when:

• User reports a penetration testing finding without a specific CVE
• Security audit reveals OWASP Top 10 vulnerabilities
• User mentions issues like "XSS", "SQL injection", "CSRF", etc.
• Need to identify and fix common security misconfigurations

Note: This skill is used by the ark-security-patcher agent when no specific CVE is mentioned. It helps identify and resolve standard penetration testing findings.

Common Penetration Test Issues

1. SQL Injection

Description: Attacker can inject malicious SQL queries through user input.

Detection Patterns:

# VULNERABLE: Direct string concatenation
query = f"SELECT * FROM users WHERE username = '{username}'"

# VULNERABLE: String formatting
query = "SELECT * FROM users WHERE id = %s" % user_id

Mitigation:

# SECURE: Use parameterized queries
cursor.execute("SELECT * FROM users WHERE username = ?", (username,))

# SECURE: Use ORM with parameter binding
User.objects.filter(username=username)

# SECURE: Use sqlalchemy with bound parameters
session.query(User).filter(User.username == username)

Ark Context:

• Check Python services: services/ark-api/, executor services
• Search for: cursor.execute, db.query, SQL string concatenation
• Verify all database queries use parameterized statements

---

2. Cross-Site Scripting (XSS)

Description: Attacker can inject malicious JavaScript into web pages viewed by other users.

Types:

• Reflected XSS: Malicious script in URL/request is reflected in response
• Stored XSS: Malicious script stored in database and displayed to users
• DOM-based XSS: Vulnerability exists in client-side JavaScript

Detection Patterns:

// VULNERABLE: Direct innerHTML manipulation
element.innerHTML = userInput;

// VULNERABLE: Unescaped template rendering
return `<div>${userInput}</div>`;

// VULNERABLE: dangerouslySetInnerHTML in React
<div dangerouslySetInnerHTML={{__html: userInput}} />

Mitigation:

// SECURE: Use textContent
element.textContent = userInput;

// SECURE: Use React/Vue built-in escaping
return <div>{userInput}</div>

// SECURE: Sanitize HTML if HTML input is required
import DOMPurify from 'dompurify';
const clean = DOMPurify.sanitize(userInput);

// SECURE: Set Content-Security-Policy header
Content-Security-Policy: default-src 'self'; script-src 'self'

Ark Context:

• Check: ark-dashboard/, docs/ (Next.js applications)
• Search for: dangerouslySetInnerHTML, innerHTML, unescaped templates
• Ensure proper Content-Security-Policy headers in Next.js config
• Verify all user input is escaped in React components

---

3. Cross-Site Request Forgery (CSRF)

Description: Attacker tricks user into executing unwanted actions on authenticated application.

Detection Patterns:

// VULNERABLE: No CSRF token validation
http.HandleFunc("/api/delete", func(w http.ResponseWriter, r *http.Request) {
    // Directly processes DELETE without token
    deleteUser(r.FormValue("id"))
})

Mitigation:

// SECURE: Use CSRF middleware
import "github.com/gorilla/csrf"

csrfMiddleware := csrf.Protect(
    []byte("32-byte-long-auth-key"),
    csrf.Secure(true),
)
http.ListenAndServe(":8000", csrfMiddleware(router))

// SECURE: Verify CSRF token
token := r.Header.Get("X-CSRF-Token")
if !csrf.Validate(token, session) {
    http.Error(w, "Invalid CSRF token", http.StatusForbidden)
    return
}

// SECURE: Use SameSite cookie attribute
http.SetCookie(w, &http.Cookie{
    Name:     "session",
    Value:    sessionID,
    SameSite: http.SameSiteStrictMode,
    Secure:   true,
    HttpOnly: true,
})

Ark Context:

• Check: Go operator API endpoints, Python API services
• Search for: State-changing endpoints (POST, PUT, DELETE) without CSRF protection
• Verify cookies use SameSite=Strict or SameSite=Lax
• Add CSRF middleware to API routes that modify state

---

4. Insecure Direct Object References (IDOR)

Description: Application exposes internal implementation objects (IDs) without proper authorization checks.

Detection Patterns:

# VULNERABLE: No authorization check
@app.route('/api/user/<user_id>')
def get_user(user_id):
    return User.query.get(user_id)  # Any authenticated user can access any user

# VULNERABLE: Predictable IDs
@app.route('/api/document/<int:doc_id>')
def get_document(doc_id):
    return Document.query.get(doc_id)  # Sequential IDs are guessable

Mitigation:

# SECURE: Check authorization
@app.route('/api/user/<user_id>')
def get_user(user_id):
    user = User.query.get(user_id)
    if user.id != current_user.id and not current_user.is_admin:
        abort(403, "Unauthorized")
    return user

# SECURE: Use UUIDs instead of sequential IDs
import uuid
user_id = uuid.uuid4()

# SECURE: Implement resource ownership check
def check_ownership(resource_id, user_id):
    resource = Resource.query.get(resource_id)
    if resource.owner_id != user_id:
        raise PermissionDenied()

Ark Context:

• Check: All REST API endpoints in Python services, Go operator
• Search for: Direct ID references in URL paths, missing authorization checks
• Verify: Every resource access checks user permissions
• Consider: Using UUIDs for resource identifiers

---

5. Security Misconfiguration

Description: Insecure default configurations, incomplete setups, open cloud storage, misconfigured HTTP headers.

Common Issues:

Missing Security Headers

Detection:

curl -I https://ark-dashboard.example.com | grep -E "X-Frame-Options|X-Content-Type-Options|Strict-Transport-Security"

Mitigation:

// Add security headers middleware
func securityHeaders(next http.Handler) http.Handler {
    return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
        w.Header().Set("X-Frame-Options", "DENY")
        w.Header().Set("X-Content-Type-Options", "nosniff")
        w.Header().Set("X-XSS-Protection", "1; mode=block")
        w.Header().Set("Strict-Transport-Security", "max-age=31536000; includeSubDomains")
        w.Header().Set("Content-Security-Policy", "default-src 'self'")
        w.Header().Set("Referrer-Policy", "strict-origin-when-cross-origin")
        next.ServeHTTP(w, r)
    })
}

// Next.js configuration (next.config.js)
module.exports = {
  async headers() {
    return [
      {
        source: '/:path*',
        headers: [
          { key: 'X-Frame-Options', value: 'DENY' },
          { key: 'X-Content-Type-Options', value: 'nosniff' },
          { key: 'X-XSS-Protection', value: '1; mode=block' },
          { key: 'Strict-Transport-Security', value: 'max-age=31536000; includeSubDomains' },
          { key: 'Referrer-Policy', value: 'strict-origin-when-cross-origin' },
        ],
      },
    ]
  },
}

Debug Mode Enabled in Production

Detection:

grep -r "DEBUG.*=.*true" .
grep -r "NODE_ENV.*development" .

Mitigation:

• Set DEBUG=false in production
• Set NODE_ENV=production
• Remove stack traces from error responses
• Disable verbose logging in production

---

6. Sensitive Data Exposure

Description: Application exposes sensitive data through logs, error messages, or insecure transmission.

Detection Patterns:

# VULNERABLE: Logging sensitive data
logger.info(f"User {username} logged in with password {password}")

# VULNERABLE: Exposing secrets in error messages
raise Exception(f"Database connection failed: {db_password}")

# VULNERABLE: Sensitive data in URLs
redirect(f"/reset-password?token={reset_token}")

Mitigation:

# SECURE: Never log sensitive data
logger.info(f"User {username} logged in successfully")

# SECURE: Generic error messages
raise Exception("Database connection failed")
logger.error("DB error", exc_info=True)  # Full details only in logs

# SECURE: Use POST for sensitive data
# POST /reset-password with token in body

# SECURE: Mask sensitive data
def mask_credit_card(card_number):
    return f"****-****-****-{card_number[-4:]}"

Environment Variables:

# VULNERABLE: Hardcoded secrets
API_KEY = "sk_live_abc123xyz"

# SECURE: Use environment variables
API_KEY = os.getenv("API_KEY")

# SECURE: Use Kubernetes secrets
apiVersion: v1
kind: Secret
metadata:
  name: ark-secrets
type: Opaque
data:
  api-key: <base64-encoded-value>

Ark Context:

• Check: All logging statements, error handlers
• Search for: Hardcoded secrets, API keys, passwords
• Verify: TLS/HTTPS for all communications
• Use: Kubernetes Secrets for sensitive configuration

---

7. Broken Authentication

Description: Weak authentication mechanisms allowing credential stuffing, brute force, or session hijacking.

Common Issues:

Weak Password Requirements

Mitigation:

import re

def validate_password(password):
    """Enforce strong password policy"""
    if len(password) < 12:
        return False, "Password must be at least 12 characters"
    if not re.search(r"[A-Z]", password):
        return False, "Password must contain uppercase letter"
    if not re.search(r"[a-z]", password):
        return False, "Password must contain lowercase letter"
    if not re.search(r"[0-9]", password):
        return False, "Password must contain number"
    if not re.search(r"[!@#$%^&*]", password):
        return False, "Password must contain special character"
    return True, "Password is valid"

No Rate Limiting on Login

Mitigation:

import "golang.org/x/time/rate"

// Rate limiter: 5 requests per minute per IP
var limiter = rate.NewLimiter(rate.Every(time.Minute/5), 5)

func loginHandler(w http.ResponseWriter, r *http.Request) {
    if !limiter.Allow() {
 

---

*Content truncated.*