From 07e9083a132670e7e4e88dbcabe46eeb11d43e78 Mon Sep 17 00:00:00 2001 From: Zhongwei Li Date: Sun, 30 Nov 2025 08:22:02 +0800 Subject: [PATCH] Initial commit --- .claude-plugin/plugin.json | 15 +++++ README.md | 3 + commands/validate-csrf.md | 8 +++ plugin.lock.json | 61 +++++++++++++++++++ skills/csrf-protection-validator/SKILL.md | 55 +++++++++++++++++ .../assets/README.md | 6 ++ .../references/README.md | 7 +++ .../scripts/README.md | 6 ++ 8 files changed, 161 insertions(+) create mode 100644 .claude-plugin/plugin.json create mode 100644 README.md create mode 100644 commands/validate-csrf.md create mode 100644 plugin.lock.json create mode 100644 skills/csrf-protection-validator/SKILL.md create mode 100644 skills/csrf-protection-validator/assets/README.md create mode 100644 skills/csrf-protection-validator/references/README.md create mode 100644 skills/csrf-protection-validator/scripts/README.md diff --git a/.claude-plugin/plugin.json b/.claude-plugin/plugin.json new file mode 100644 index 0000000..e8ddcd5 --- /dev/null +++ b/.claude-plugin/plugin.json @@ -0,0 +1,15 @@ +{ + "name": "csrf-protection-validator", + "description": "Validate CSRF protection", + "version": "1.0.0", + "author": { + "name": "Jeremy Longshore", + "email": "[email protected]" + }, + "skills": [ + "./skills" + ], + "commands": [ + "./commands" + ] +} \ No newline at end of file diff --git a/README.md b/README.md new file mode 100644 index 0000000..b988a2a --- /dev/null +++ b/README.md @@ -0,0 +1,3 @@ +# csrf-protection-validator + +Validate CSRF protection diff --git a/commands/validate-csrf.md b/commands/validate-csrf.md new file mode 100644 index 0000000..205880e --- /dev/null +++ b/commands/validate-csrf.md @@ -0,0 +1,8 @@ +--- +description: DESCRIPTION_PLACEHOLDER +shortcut: SHORTCUT_PLACEHOLDER +--- + +# TITLE_PLACEHOLDER + +CONTENT_PLACEHOLDER diff --git a/plugin.lock.json b/plugin.lock.json new file mode 100644 index 0000000..9f541a7 --- /dev/null +++ b/plugin.lock.json @@ -0,0 +1,61 @@ +{ + "$schema": "internal://schemas/plugin.lock.v1.json", + "pluginId": "gh:jeremylongshore/claude-code-plugins-plus:plugins/security/csrf-protection-validator", + "normalized": { + "repo": null, + "ref": "refs/tags/v20251128.0", + "commit": "6272f975d32266a0753196a7a7b10902aff92ae0", + "treeHash": "c414c20959678bcba1aece6972df5bb40387bf5453c4bc33be63a2fdcd34c629", + "generatedAt": "2025-11-28T10:18:16.963589Z", + "toolVersion": "publish_plugins.py@0.2.0" + }, + "origin": { + "remote": "git@github.com:zhongweili/42plugin-data.git", + "branch": "master", + "commit": "aa1497ed0949fd50e99e70d6324a29c5b34f9390", + "repoRoot": "/Users/zhongweili/projects/openmind/42plugin-data" + }, + "manifest": { + "name": "csrf-protection-validator", + "description": "Validate CSRF protection", + "version": "1.0.0" + }, + "content": { + "files": [ + { + "path": "README.md", + "sha256": "5cc458ae95adeb63f9b166a361d7f322fa80aa2f399ffef1dc554d7d3f7c5d1a" + }, + { + "path": ".claude-plugin/plugin.json", + "sha256": "3b15fc1bd40d5e15713126ba4ce04cc074f86dbf491d234b9d27fd739a8f09ca" + }, + { + "path": "commands/validate-csrf.md", + "sha256": "26981dafecd0bda9d89082c091325c9fdc3ac197318243e952dde0b1a38f4088" + }, + { + "path": "skills/csrf-protection-validator/SKILL.md", + "sha256": "fbd00532f9b3fd07b5f3e2bb2b2a24681cd609a4aeb916a166a9522a46b0b35c" + }, + { + "path": "skills/csrf-protection-validator/references/README.md", + "sha256": "723bb2a098f5a1d1e800f373cfbbf32dee4b510f27d20d810511bd404ce7ceb0" + }, + { + "path": "skills/csrf-protection-validator/scripts/README.md", + "sha256": "63cab1cb84966062c38984855b44ffc27cb230374d248e7db564e9931dac7c32" + }, + { + "path": "skills/csrf-protection-validator/assets/README.md", + "sha256": "8b9c6ed5c1615510ece49707cc0b3faa3c9d74bd58ab341a3fbb6cdd871de2b7" + } + ], + "dirSha256": "c414c20959678bcba1aece6972df5bb40387bf5453c4bc33be63a2fdcd34c629" + }, + "security": { + "scannedAt": null, + "scannerVersion": null, + "flags": [] + } +} \ No newline at end of file diff --git a/skills/csrf-protection-validator/SKILL.md b/skills/csrf-protection-validator/SKILL.md new file mode 100644 index 0000000..c25979e --- /dev/null +++ b/skills/csrf-protection-validator/SKILL.md @@ -0,0 +1,55 @@ +--- +name: validating-csrf-protection +description: | + This skill helps to identify Cross-Site Request Forgery (CSRF) vulnerabilities in web applications. It validates the implementation of CSRF protection mechanisms, such as synchronizer tokens, double-submit cookies, SameSite attributes, and origin validation. Use this skill when you need to analyze your application's security posture against CSRF attacks or when asked to "validate csrf", "check for csrf vulnerabilities", or "test csrf protection". +allowed-tools: Read, Write, Edit, Grep, Glob, Bash +version: 1.0.0 +--- + +## Overview + +This skill empowers Claude to analyze web applications for CSRF vulnerabilities. It assesses the effectiveness of implemented CSRF protection mechanisms, providing insights into potential weaknesses and recommendations for remediation. + +## How It Works + +1. **Analyze Endpoints**: The plugin examines application endpoints to identify those lacking CSRF protection. +2. **Assess Protection Mechanisms**: It validates the implementation of CSRF protection mechanisms, including token validation, double-submit cookies, SameSite attributes, and origin validation. +3. **Generate Report**: A detailed report is generated, highlighting vulnerable endpoints, potential attack scenarios, and recommended fixes. + +## When to Use This Skill + +This skill activates when you need to: +- Validate existing CSRF protection measures. +- Identify CSRF vulnerabilities in a web application. +- Assess the risk associated with unprotected endpoints. +- Generate a report outlining CSRF vulnerabilities and recommended fixes. + +## Examples + +### Example 1: Identifying Unprotected API Endpoints + +User request: "validate csrf" + +The skill will: +1. Analyze the application's API endpoints. +2. Identify endpoints lacking CSRF protection, such as those handling sensitive data modifications. +3. Generate a report outlining vulnerable endpoints and potential attack vectors. + +### Example 2: Checking SameSite Cookie Attributes + +User request: "Check for csrf vulnerabilities in my application" + +The skill will: +1. Analyze the application's cookie settings. +2. Verify that SameSite attributes are properly configured to mitigate CSRF attacks. +3. Report any cookies lacking the SameSite attribute or using an insecure setting. + +## Best Practices + +- **Regular Validation**: Regularly validate CSRF protection mechanisms as part of the development lifecycle. +- **Comprehensive Coverage**: Ensure all state-changing operations are protected against CSRF attacks. +- **Secure Configuration**: Use secure configurations for CSRF protection mechanisms, such as strong token generation and proper SameSite attribute settings. + +## Integration + +This skill can be used in conjunction with other security plugins to provide a comprehensive security assessment of web applications. For example, it can be combined with a vulnerability scanner to identify other potential vulnerabilities in addition to CSRF weaknesses. \ No newline at end of file diff --git a/skills/csrf-protection-validator/assets/README.md b/skills/csrf-protection-validator/assets/README.md new file mode 100644 index 0000000..d7e28d8 --- /dev/null +++ b/skills/csrf-protection-validator/assets/README.md @@ -0,0 +1,6 @@ +# Assets + +Bundled resources for csrf-protection-validator skill + +- [ ] csrf_report_template.md: Template for generating CSRF vulnerability reports. +- [ ] example_csrf_form.html: Example HTML form vulnerable to CSRF. diff --git a/skills/csrf-protection-validator/references/README.md b/skills/csrf-protection-validator/references/README.md new file mode 100644 index 0000000..4f2460e --- /dev/null +++ b/skills/csrf-protection-validator/references/README.md @@ -0,0 +1,7 @@ +# References + +Bundled resources for csrf-protection-validator skill + +- [ ] csrf_protection_methods.md: Detailed explanation of CSRF protection methods (Synchronizer Token, Double Submit Cookie, SameSite Cookie, Origin Validation). +- [ ] owasp_csrf_cheatsheet.md: Link to the OWASP CSRF Prevention Cheat Sheet. +- [ ] csrf_api_examples.md: API usage examples for different languages and frameworks. diff --git a/skills/csrf-protection-validator/scripts/README.md b/skills/csrf-protection-validator/scripts/README.md new file mode 100644 index 0000000..bee9d82 --- /dev/null +++ b/skills/csrf-protection-validator/scripts/README.md @@ -0,0 +1,6 @@ +# Scripts + +Bundled resources for csrf-protection-validator skill + +- [ ] csrf_test.sh: Automates CSRF vulnerability testing for a given URL. +- [ ] csrf_report_parser.py: Parses the output of CSRF tests and generates a concise report.