@brunosps00/dev-workflow 0.0.3 → 0.0.6
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +42 -42
- package/bin/dev-workflow.js +6 -4
- package/lib/constants.js +42 -40
- package/lib/init.js +66 -19
- package/package.json +1 -1
- package/scaffold/en/commands/{analyze-project.md → dw-analyze-project.md} +69 -40
- package/scaffold/en/commands/{brainstorm.md → dw-brainstorm.md} +31 -4
- package/scaffold/en/commands/{bugfix.md → dw-bugfix.md} +63 -19
- package/scaffold/en/commands/{code-review.md → dw-code-review.md} +38 -15
- package/scaffold/en/commands/{commit.md → dw-commit.md} +25 -0
- package/scaffold/en/commands/{create-prd.md → dw-create-prd.md} +24 -10
- package/scaffold/en/commands/{create-tasks.md → dw-create-tasks.md} +11 -4
- package/scaffold/en/commands/{create-techspec.md → dw-create-techspec.md} +38 -11
- package/scaffold/en/commands/{deep-research.md → dw-deep-research.md} +18 -17
- package/scaffold/en/commands/{fix-qa.md → dw-fix-qa.md} +20 -3
- package/scaffold/en/commands/dw-functional-doc.md +276 -0
- package/scaffold/en/commands/{generate-pr.md → dw-generate-pr.md} +20 -5
- package/scaffold/en/commands/dw-help.md +309 -0
- package/scaffold/en/commands/{refactoring-analysis.md → dw-refactoring-analysis.md} +50 -26
- package/scaffold/en/commands/{review-implementation.md → dw-review-implementation.md} +25 -6
- package/scaffold/en/commands/{run-plan.md → dw-run-plan.md} +21 -6
- package/scaffold/en/commands/{run-qa.md → dw-run-qa.md} +32 -13
- package/scaffold/en/commands/{run-task.md → dw-run-task.md} +17 -7
- package/scaffold/en/references/playwright-patterns.md +136 -0
- package/scaffold/en/references/refactoring-catalog.md +167 -0
- package/scaffold/en/templates/brainstorm-matrix.md +44 -0
- package/scaffold/en/templates/functional-doc/case-matrix.md +5 -0
- package/scaffold/en/templates/functional-doc/e2e-runbook.md +3 -0
- package/scaffold/en/templates/functional-doc/features.md +3 -0
- package/scaffold/en/templates/functional-doc/overview.md +21 -0
- package/scaffold/en/templates/functional-doc/playwright.spec.ts.tpl +19 -0
- package/scaffold/en/templates/pr-bugfix-template.md +28 -0
- package/scaffold/en/templates/qa-test-credentials.md +37 -0
- package/scaffold/en/templates/tasks-template.md +1 -1
- package/scaffold/en/templates/techspec-template.md +1 -1
- package/scaffold/pt-br/commands/{analyze-project.md → dw-analyze-project.md} +94 -44
- package/scaffold/pt-br/commands/{brainstorm.md → dw-brainstorm.md} +32 -5
- package/scaffold/pt-br/commands/{bugfix.md → dw-bugfix.md} +73 -16
- package/scaffold/pt-br/commands/{code-review.md → dw-code-review.md} +80 -17
- package/scaffold/pt-br/commands/{commit.md → dw-commit.md} +45 -1
- package/scaffold/pt-br/commands/{create-prd.md → dw-create-prd.md} +25 -10
- package/scaffold/pt-br/commands/{create-tasks.md → dw-create-tasks.md} +24 -17
- package/scaffold/pt-br/commands/{create-techspec.md → dw-create-techspec.md} +40 -13
- package/scaffold/pt-br/commands/{deep-research.md → dw-deep-research.md} +19 -11
- package/scaffold/pt-br/commands/{fix-qa.md → dw-fix-qa.md} +30 -1
- package/scaffold/pt-br/commands/dw-functional-doc.md +276 -0
- package/scaffold/pt-br/commands/{generate-pr.md → dw-generate-pr.md} +61 -6
- package/scaffold/pt-br/commands/dw-help.md +248 -0
- package/scaffold/pt-br/commands/{refactoring-analysis.md → dw-refactoring-analysis.md} +49 -25
- package/scaffold/pt-br/commands/{review-implementation.md → dw-review-implementation.md} +53 -5
- package/scaffold/pt-br/commands/{run-plan.md → dw-run-plan.md} +100 -12
- package/scaffold/pt-br/commands/{run-qa.md → dw-run-qa.md} +93 -18
- package/scaffold/pt-br/commands/{run-task.md → dw-run-task.md} +35 -10
- package/scaffold/pt-br/references/playwright-patterns.md +133 -0
- package/scaffold/pt-br/references/refactoring-catalog.md +166 -0
- package/scaffold/pt-br/templates/brainstorm-matrix.md +44 -0
- package/scaffold/pt-br/templates/functional-doc/case-matrix.md +5 -0
- package/scaffold/pt-br/templates/functional-doc/e2e-runbook.md +3 -0
- package/scaffold/pt-br/templates/functional-doc/features.md +3 -0
- package/scaffold/pt-br/templates/functional-doc/overview.md +21 -0
- package/scaffold/pt-br/templates/functional-doc/playwright.spec.ts.tpl +19 -0
- package/scaffold/pt-br/templates/pr-bugfix-template.md +28 -0
- package/scaffold/pt-br/templates/qa-test-credentials.md +37 -0
- package/scaffold/pt-br/templates/tasks-template.md +2 -2
- package/scaffold/pt-br/templates/techspec-template.md +1 -1
- package/scaffold/rules-readme.md +3 -3
- package/scaffold/scripts/functional-doc/generate-dossier.mjs +821 -0
- package/scaffold/scripts/functional-doc/run-playwright-flow.mjs +275 -0
- package/scaffold/skills/agent-browser/SKILL.md +750 -0
- package/scaffold/skills/agent-browser/references/authentication.md +303 -0
- package/scaffold/skills/agent-browser/references/commands.md +295 -0
- package/scaffold/skills/agent-browser/references/profiling.md +120 -0
- package/scaffold/skills/agent-browser/references/proxy-support.md +194 -0
- package/scaffold/skills/agent-browser/references/session-management.md +193 -0
- package/scaffold/skills/agent-browser/references/snapshot-refs.md +219 -0
- package/scaffold/skills/agent-browser/references/video-recording.md +173 -0
- package/scaffold/skills/agent-browser/templates/authenticated-session.sh +105 -0
- package/scaffold/skills/agent-browser/templates/capture-workflow.sh +69 -0
- package/scaffold/skills/agent-browser/templates/form-automation.sh +62 -0
- package/scaffold/skills/humanizer/README.md +143 -0
- package/scaffold/skills/humanizer/SKILL.md +488 -0
- package/scaffold/skills/humanizer/WARP.md +53 -0
- package/scaffold/skills/remotion-best-practices/SKILL.md +61 -0
- package/scaffold/skills/remotion-best-practices/rules/3d.md +86 -0
- package/scaffold/skills/remotion-best-practices/rules/animations.md +27 -0
- package/scaffold/skills/remotion-best-practices/rules/assets/charts-bar-chart.tsx +173 -0
- package/scaffold/skills/remotion-best-practices/rules/assets/text-animations-typewriter.tsx +100 -0
- package/scaffold/skills/remotion-best-practices/rules/assets/text-animations-word-highlight.tsx +103 -0
- package/scaffold/skills/remotion-best-practices/rules/assets.md +78 -0
- package/scaffold/skills/remotion-best-practices/rules/audio-visualization.md +198 -0
- package/scaffold/skills/remotion-best-practices/rules/audio.md +169 -0
- package/scaffold/skills/remotion-best-practices/rules/calculate-metadata.md +134 -0
- package/scaffold/skills/remotion-best-practices/rules/can-decode.md +75 -0
- package/scaffold/skills/remotion-best-practices/rules/charts.md +120 -0
- package/scaffold/skills/remotion-best-practices/rules/compositions.md +154 -0
- package/scaffold/skills/remotion-best-practices/rules/display-captions.md +184 -0
- package/scaffold/skills/remotion-best-practices/rules/extract-frames.md +229 -0
- package/scaffold/skills/remotion-best-practices/rules/ffmpeg.md +38 -0
- package/scaffold/skills/remotion-best-practices/rules/fonts.md +152 -0
- package/scaffold/skills/remotion-best-practices/rules/get-audio-duration.md +58 -0
- package/scaffold/skills/remotion-best-practices/rules/get-video-dimensions.md +68 -0
- package/scaffold/skills/remotion-best-practices/rules/get-video-duration.md +60 -0
- package/scaffold/skills/remotion-best-practices/rules/gifs.md +141 -0
- package/scaffold/skills/remotion-best-practices/rules/images.md +134 -0
- package/scaffold/skills/remotion-best-practices/rules/import-srt-captions.md +69 -0
- package/scaffold/skills/remotion-best-practices/rules/light-leaks.md +73 -0
- package/scaffold/skills/remotion-best-practices/rules/lottie.md +70 -0
- package/scaffold/skills/remotion-best-practices/rules/maps.md +412 -0
- package/scaffold/skills/remotion-best-practices/rules/measuring-dom-nodes.md +34 -0
- package/scaffold/skills/remotion-best-practices/rules/measuring-text.md +140 -0
- package/scaffold/skills/remotion-best-practices/rules/parameters.md +109 -0
- package/scaffold/skills/remotion-best-practices/rules/sequencing.md +118 -0
- package/scaffold/skills/remotion-best-practices/rules/sfx.md +26 -0
- package/scaffold/skills/remotion-best-practices/rules/subtitles.md +36 -0
- package/scaffold/skills/remotion-best-practices/rules/tailwind.md +11 -0
- package/scaffold/skills/remotion-best-practices/rules/text-animations.md +20 -0
- package/scaffold/skills/remotion-best-practices/rules/timing.md +179 -0
- package/scaffold/skills/remotion-best-practices/rules/transcribe-captions.md +70 -0
- package/scaffold/skills/remotion-best-practices/rules/transitions.md +197 -0
- package/scaffold/skills/remotion-best-practices/rules/transparent-videos.md +106 -0
- package/scaffold/skills/remotion-best-practices/rules/trimming.md +51 -0
- package/scaffold/skills/remotion-best-practices/rules/videos.md +171 -0
- package/scaffold/skills/remotion-best-practices/rules/voiceover.md +99 -0
- package/scaffold/skills/security-review/LICENSE +22 -0
- package/scaffold/skills/security-review/SKILL.md +312 -0
- package/scaffold/skills/security-review/infrastructure/docker.md +432 -0
- package/scaffold/skills/security-review/languages/javascript.md +388 -0
- package/scaffold/skills/security-review/languages/python.md +363 -0
- package/scaffold/skills/security-review/references/api-security.md +519 -0
- package/scaffold/skills/security-review/references/authentication.md +353 -0
- package/scaffold/skills/security-review/references/authorization.md +372 -0
- package/scaffold/skills/security-review/references/business-logic.md +443 -0
- package/scaffold/skills/security-review/references/cryptography.md +329 -0
- package/scaffold/skills/security-review/references/csrf.md +398 -0
- package/scaffold/skills/security-review/references/data-protection.md +378 -0
- package/scaffold/skills/security-review/references/deserialization.md +410 -0
- package/scaffold/skills/security-review/references/error-handling.md +436 -0
- package/scaffold/skills/security-review/references/file-security.md +457 -0
- package/scaffold/skills/security-review/references/injection.md +259 -0
- package/scaffold/skills/security-review/references/logging.md +433 -0
- package/scaffold/skills/security-review/references/misconfiguration.md +435 -0
- package/scaffold/skills/security-review/references/modern-threats.md +475 -0
- package/scaffold/skills/security-review/references/ssrf.md +415 -0
- package/scaffold/skills/security-review/references/supply-chain.md +405 -0
- package/scaffold/skills/security-review/references/xss.md +336 -0
- package/scaffold/skills/vercel-react-best-practices/AGENTS.md +3648 -0
- package/scaffold/skills/vercel-react-best-practices/README.md +123 -0
- package/scaffold/skills/vercel-react-best-practices/SKILL.md +146 -0
- package/scaffold/skills/vercel-react-best-practices/rules/_sections.md +46 -0
- package/scaffold/skills/vercel-react-best-practices/rules/_template.md +28 -0
- package/scaffold/skills/vercel-react-best-practices/rules/advanced-event-handler-refs.md +55 -0
- package/scaffold/skills/vercel-react-best-practices/rules/advanced-init-once.md +42 -0
- package/scaffold/skills/vercel-react-best-practices/rules/advanced-use-latest.md +39 -0
- package/scaffold/skills/vercel-react-best-practices/rules/async-api-routes.md +38 -0
- package/scaffold/skills/vercel-react-best-practices/rules/async-cheap-condition-before-await.md +37 -0
- package/scaffold/skills/vercel-react-best-practices/rules/async-defer-await.md +82 -0
- package/scaffold/skills/vercel-react-best-practices/rules/async-dependencies.md +51 -0
- package/scaffold/skills/vercel-react-best-practices/rules/async-parallel.md +28 -0
- package/scaffold/skills/vercel-react-best-practices/rules/async-suspense-boundaries.md +99 -0
- package/scaffold/skills/vercel-react-best-practices/rules/bundle-barrel-imports.md +60 -0
- package/scaffold/skills/vercel-react-best-practices/rules/bundle-conditional.md +31 -0
- package/scaffold/skills/vercel-react-best-practices/rules/bundle-defer-third-party.md +49 -0
- package/scaffold/skills/vercel-react-best-practices/rules/bundle-dynamic-imports.md +35 -0
- package/scaffold/skills/vercel-react-best-practices/rules/bundle-preload.md +50 -0
- package/scaffold/skills/vercel-react-best-practices/rules/client-event-listeners.md +74 -0
- package/scaffold/skills/vercel-react-best-practices/rules/client-localstorage-schema.md +71 -0
- package/scaffold/skills/vercel-react-best-practices/rules/client-passive-event-listeners.md +48 -0
- package/scaffold/skills/vercel-react-best-practices/rules/client-swr-dedup.md +56 -0
- package/scaffold/skills/vercel-react-best-practices/rules/js-batch-dom-css.md +107 -0
- package/scaffold/skills/vercel-react-best-practices/rules/js-cache-function-results.md +80 -0
- package/scaffold/skills/vercel-react-best-practices/rules/js-cache-property-access.md +28 -0
- package/scaffold/skills/vercel-react-best-practices/rules/js-cache-storage.md +70 -0
- package/scaffold/skills/vercel-react-best-practices/rules/js-combine-iterations.md +32 -0
- package/scaffold/skills/vercel-react-best-practices/rules/js-early-exit.md +50 -0
- package/scaffold/skills/vercel-react-best-practices/rules/js-flatmap-filter.md +60 -0
- package/scaffold/skills/vercel-react-best-practices/rules/js-hoist-regexp.md +45 -0
- package/scaffold/skills/vercel-react-best-practices/rules/js-index-maps.md +37 -0
- package/scaffold/skills/vercel-react-best-practices/rules/js-length-check-first.md +49 -0
- package/scaffold/skills/vercel-react-best-practices/rules/js-min-max-loop.md +82 -0
- package/scaffold/skills/vercel-react-best-practices/rules/js-request-idle-callback.md +105 -0
- package/scaffold/skills/vercel-react-best-practices/rules/js-set-map-lookups.md +24 -0
- package/scaffold/skills/vercel-react-best-practices/rules/js-tosorted-immutable.md +57 -0
- package/scaffold/skills/vercel-react-best-practices/rules/rendering-activity.md +26 -0
- package/scaffold/skills/vercel-react-best-practices/rules/rendering-animate-svg-wrapper.md +47 -0
- package/scaffold/skills/vercel-react-best-practices/rules/rendering-conditional-render.md +40 -0
- package/scaffold/skills/vercel-react-best-practices/rules/rendering-content-visibility.md +38 -0
- package/scaffold/skills/vercel-react-best-practices/rules/rendering-hoist-jsx.md +46 -0
- package/scaffold/skills/vercel-react-best-practices/rules/rendering-hydration-no-flicker.md +82 -0
- package/scaffold/skills/vercel-react-best-practices/rules/rendering-hydration-suppress-warning.md +30 -0
- package/scaffold/skills/vercel-react-best-practices/rules/rendering-resource-hints.md +85 -0
- package/scaffold/skills/vercel-react-best-practices/rules/rendering-script-defer-async.md +68 -0
- package/scaffold/skills/vercel-react-best-practices/rules/rendering-svg-precision.md +28 -0
- package/scaffold/skills/vercel-react-best-practices/rules/rendering-usetransition-loading.md +75 -0
- package/scaffold/skills/vercel-react-best-practices/rules/rerender-defer-reads.md +39 -0
- package/scaffold/skills/vercel-react-best-practices/rules/rerender-dependencies.md +45 -0
- package/scaffold/skills/vercel-react-best-practices/rules/rerender-derived-state-no-effect.md +40 -0
- package/scaffold/skills/vercel-react-best-practices/rules/rerender-derived-state.md +29 -0
- package/scaffold/skills/vercel-react-best-practices/rules/rerender-functional-setstate.md +74 -0
- package/scaffold/skills/vercel-react-best-practices/rules/rerender-lazy-state-init.md +58 -0
- package/scaffold/skills/vercel-react-best-practices/rules/rerender-memo-with-default-value.md +38 -0
- package/scaffold/skills/vercel-react-best-practices/rules/rerender-memo.md +44 -0
- package/scaffold/skills/vercel-react-best-practices/rules/rerender-move-effect-to-event.md +45 -0
- package/scaffold/skills/vercel-react-best-practices/rules/rerender-no-inline-components.md +82 -0
- package/scaffold/skills/vercel-react-best-practices/rules/rerender-simple-expression-in-memo.md +35 -0
- package/scaffold/skills/vercel-react-best-practices/rules/rerender-split-combined-hooks.md +64 -0
- package/scaffold/skills/vercel-react-best-practices/rules/rerender-transitions.md +40 -0
- package/scaffold/skills/vercel-react-best-practices/rules/rerender-use-deferred-value.md +59 -0
- package/scaffold/skills/vercel-react-best-practices/rules/rerender-use-ref-transient-values.md +73 -0
- package/scaffold/skills/vercel-react-best-practices/rules/server-after-nonblocking.md +73 -0
- package/scaffold/skills/vercel-react-best-practices/rules/server-auth-actions.md +96 -0
- package/scaffold/skills/vercel-react-best-practices/rules/server-cache-lru.md +41 -0
- package/scaffold/skills/vercel-react-best-practices/rules/server-cache-react.md +76 -0
- package/scaffold/skills/vercel-react-best-practices/rules/server-dedup-props.md +65 -0
- package/scaffold/skills/vercel-react-best-practices/rules/server-hoist-static-io.md +149 -0
- package/scaffold/skills/vercel-react-best-practices/rules/server-parallel-fetching.md +83 -0
- package/scaffold/skills/vercel-react-best-practices/rules/server-parallel-nested-fetching.md +34 -0
- package/scaffold/skills/vercel-react-best-practices/rules/server-serialization.md +38 -0
- package/scaffold/skills/webapp-testing/SKILL.md +133 -0
- package/scaffold/skills/webapp-testing/assets/test-helper.js +56 -0
- package/scaffold/en/commands/help.md +0 -289
- package/scaffold/pt-br/commands/help.md +0 -226
|
@@ -0,0 +1,435 @@
|
|
|
1
|
+
# Security Misconfiguration Reference
|
|
2
|
+
|
|
3
|
+
## Overview
|
|
4
|
+
|
|
5
|
+
Security misconfiguration is one of the most common vulnerabilities. It occurs when security settings are not defined, implemented incorrectly, or left at insecure defaults. This includes missing security headers, overly permissive CORS, debug mode in production, and exposed sensitive endpoints.
|
|
6
|
+
|
|
7
|
+
---
|
|
8
|
+
|
|
9
|
+
## Security Headers
|
|
10
|
+
|
|
11
|
+
### Missing Headers
|
|
12
|
+
|
|
13
|
+
```python
|
|
14
|
+
# VULNERABLE: No security headers
|
|
15
|
+
@app.route('/')
|
|
16
|
+
def index():
|
|
17
|
+
return render_template('index.html')
|
|
18
|
+
|
|
19
|
+
# SAFE: Security headers configured
|
|
20
|
+
@app.after_request
|
|
21
|
+
def add_security_headers(response):
|
|
22
|
+
response.headers['X-Content-Type-Options'] = 'nosniff'
|
|
23
|
+
response.headers['X-Frame-Options'] = 'DENY'
|
|
24
|
+
response.headers['X-XSS-Protection'] = '1; mode=block'
|
|
25
|
+
response.headers['Strict-Transport-Security'] = 'max-age=31536000; includeSubDomains'
|
|
26
|
+
response.headers['Content-Security-Policy'] = "default-src 'self'"
|
|
27
|
+
response.headers['Referrer-Policy'] = 'strict-origin-when-cross-origin'
|
|
28
|
+
response.headers['Permissions-Policy'] = 'geolocation=(), microphone=()'
|
|
29
|
+
return response
|
|
30
|
+
```
|
|
31
|
+
|
|
32
|
+
### Header Checklist
|
|
33
|
+
|
|
34
|
+
| Header | Purpose | Secure Value |
|
|
35
|
+
|--------|---------|--------------|
|
|
36
|
+
| `X-Content-Type-Options` | Prevent MIME sniffing | `nosniff` |
|
|
37
|
+
| `X-Frame-Options` | Prevent clickjacking | `DENY` or `SAMEORIGIN` |
|
|
38
|
+
| `Strict-Transport-Security` | Force HTTPS | `max-age=31536000; includeSubDomains` |
|
|
39
|
+
| `Content-Security-Policy` | Prevent XSS, injection | Restrictive policy |
|
|
40
|
+
| `Referrer-Policy` | Control referrer leakage | `strict-origin-when-cross-origin` |
|
|
41
|
+
| `Permissions-Policy` | Disable browser features | Disable unused features |
|
|
42
|
+
|
|
43
|
+
### Content Security Policy
|
|
44
|
+
|
|
45
|
+
```python
|
|
46
|
+
# VULNERABLE: Overly permissive CSP
|
|
47
|
+
"Content-Security-Policy: default-src *"
|
|
48
|
+
"Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval'"
|
|
49
|
+
|
|
50
|
+
# SAFE: Restrictive CSP
|
|
51
|
+
"Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-{random}'; style-src 'self'; img-src 'self' data:; font-src 'self'; connect-src 'self'; frame-ancestors 'none'"
|
|
52
|
+
```
|
|
53
|
+
|
|
54
|
+
---
|
|
55
|
+
|
|
56
|
+
## CORS Misconfiguration
|
|
57
|
+
|
|
58
|
+
### Dangerous Patterns
|
|
59
|
+
|
|
60
|
+
```python
|
|
61
|
+
# VULNERABLE: Allow all origins
|
|
62
|
+
CORS(app, origins='*')
|
|
63
|
+
Access-Control-Allow-Origin: *
|
|
64
|
+
|
|
65
|
+
# VULNERABLE: Reflect origin without validation
|
|
66
|
+
@app.after_request
|
|
67
|
+
def add_cors(response):
|
|
68
|
+
response.headers['Access-Control-Allow-Origin'] = request.headers.get('Origin')
|
|
69
|
+
response.headers['Access-Control-Allow-Credentials'] = 'true'
|
|
70
|
+
return response
|
|
71
|
+
|
|
72
|
+
# VULNERABLE: Wildcard with credentials (browsers block, but shows misconfiguration)
|
|
73
|
+
Access-Control-Allow-Origin: *
|
|
74
|
+
Access-Control-Allow-Credentials: true
|
|
75
|
+
|
|
76
|
+
# VULNERABLE: Null origin allowed
|
|
77
|
+
Access-Control-Allow-Origin: null
|
|
78
|
+
```
|
|
79
|
+
|
|
80
|
+
### Safe CORS Configuration
|
|
81
|
+
|
|
82
|
+
```python
|
|
83
|
+
# SAFE: Explicit allowlist
|
|
84
|
+
ALLOWED_ORIGINS = {
|
|
85
|
+
'https://app.example.com',
|
|
86
|
+
'https://admin.example.com'
|
|
87
|
+
}
|
|
88
|
+
|
|
89
|
+
@app.after_request
|
|
90
|
+
def add_cors(response):
|
|
91
|
+
origin = request.headers.get('Origin')
|
|
92
|
+
if origin in ALLOWED_ORIGINS:
|
|
93
|
+
response.headers['Access-Control-Allow-Origin'] = origin
|
|
94
|
+
response.headers['Access-Control-Allow-Credentials'] = 'true'
|
|
95
|
+
response.headers['Access-Control-Allow-Methods'] = 'GET, POST, OPTIONS'
|
|
96
|
+
response.headers['Access-Control-Allow-Headers'] = 'Content-Type, Authorization'
|
|
97
|
+
return response
|
|
98
|
+
```
|
|
99
|
+
|
|
100
|
+
---
|
|
101
|
+
|
|
102
|
+
## Debug Mode in Production
|
|
103
|
+
|
|
104
|
+
### Dangerous Patterns
|
|
105
|
+
|
|
106
|
+
```python
|
|
107
|
+
# VULNERABLE: Debug mode enabled
|
|
108
|
+
# Flask
|
|
109
|
+
app.run(debug=True)
|
|
110
|
+
DEBUG = True
|
|
111
|
+
|
|
112
|
+
# Django
|
|
113
|
+
DEBUG = True # in settings.py
|
|
114
|
+
|
|
115
|
+
# Express
|
|
116
|
+
app.set('env', 'development')
|
|
117
|
+
|
|
118
|
+
# Spring Boot
|
|
119
|
+
spring.devtools.restart.enabled=true
|
|
120
|
+
management.endpoints.web.exposure.include=*
|
|
121
|
+
```
|
|
122
|
+
|
|
123
|
+
### Detection
|
|
124
|
+
|
|
125
|
+
```python
|
|
126
|
+
# Check for debug indicators
|
|
127
|
+
if app.debug:
|
|
128
|
+
# Exposes stack traces, allows code execution in some frameworks
|
|
129
|
+
pass
|
|
130
|
+
|
|
131
|
+
# Check environment variables
|
|
132
|
+
if os.environ.get('DEBUG') == 'true':
|
|
133
|
+
pass
|
|
134
|
+
if os.environ.get('FLASK_ENV') == 'development':
|
|
135
|
+
pass
|
|
136
|
+
```
|
|
137
|
+
|
|
138
|
+
---
|
|
139
|
+
|
|
140
|
+
## Default Credentials
|
|
141
|
+
|
|
142
|
+
### Patterns to Flag
|
|
143
|
+
|
|
144
|
+
```python
|
|
145
|
+
# VULNERABLE: Default/weak credentials
|
|
146
|
+
username = 'admin'
|
|
147
|
+
password = 'admin'
|
|
148
|
+
password = 'password'
|
|
149
|
+
password = '123456'
|
|
150
|
+
password = 'changeme'
|
|
151
|
+
password = 'default'
|
|
152
|
+
|
|
153
|
+
# VULNERABLE: Well-known default credentials
|
|
154
|
+
# Database defaults
|
|
155
|
+
DB_PASSWORD = 'root'
|
|
156
|
+
DB_PASSWORD = 'postgres'
|
|
157
|
+
DB_PASSWORD = 'mysql'
|
|
158
|
+
|
|
159
|
+
# Admin panel defaults
|
|
160
|
+
ADMIN_PASSWORD = 'admin123'
|
|
161
|
+
SECRET_KEY = 'development-secret-key'
|
|
162
|
+
```
|
|
163
|
+
|
|
164
|
+
### Configuration Files to Check
|
|
165
|
+
|
|
166
|
+
```yaml
|
|
167
|
+
# Docker Compose
|
|
168
|
+
services:
|
|
169
|
+
db:
|
|
170
|
+
environment:
|
|
171
|
+
MYSQL_ROOT_PASSWORD: root # VULNERABLE
|
|
172
|
+
POSTGRES_PASSWORD: postgres # VULNERABLE
|
|
173
|
+
|
|
174
|
+
# Kubernetes Secrets (base64 encoded defaults)
|
|
175
|
+
apiVersion: v1
|
|
176
|
+
kind: Secret
|
|
177
|
+
data:
|
|
178
|
+
password: YWRtaW4= # 'admin' base64 encoded - VULNERABLE
|
|
179
|
+
```
|
|
180
|
+
|
|
181
|
+
---
|
|
182
|
+
|
|
183
|
+
## Exposed Endpoints
|
|
184
|
+
|
|
185
|
+
### Admin/Debug Endpoints
|
|
186
|
+
|
|
187
|
+
```python
|
|
188
|
+
# VULNERABLE: Exposed debug endpoints
|
|
189
|
+
@app.route('/debug')
|
|
190
|
+
@app.route('/admin') # without authentication
|
|
191
|
+
@app.route('/metrics') # without authentication
|
|
192
|
+
@app.route('/health') # may expose sensitive info
|
|
193
|
+
@app.route('/env')
|
|
194
|
+
@app.route('/config')
|
|
195
|
+
@app.route('/phpinfo.php')
|
|
196
|
+
@app.route('/.git')
|
|
197
|
+
@app.route('/.env')
|
|
198
|
+
|
|
199
|
+
# Spring Boot Actuator endpoints
|
|
200
|
+
/actuator/env
|
|
201
|
+
/actuator/heapdump
|
|
202
|
+
/actuator/configprops
|
|
203
|
+
/actuator/mappings
|
|
204
|
+
```
|
|
205
|
+
|
|
206
|
+
### Protection
|
|
207
|
+
|
|
208
|
+
```python
|
|
209
|
+
# SAFE: Protect sensitive endpoints
|
|
210
|
+
@app.route('/admin')
|
|
211
|
+
@require_admin
|
|
212
|
+
def admin_panel():
|
|
213
|
+
pass
|
|
214
|
+
|
|
215
|
+
@app.route('/metrics')
|
|
216
|
+
@require_internal_network
|
|
217
|
+
def metrics():
|
|
218
|
+
pass
|
|
219
|
+
|
|
220
|
+
# Spring Boot: Restrict actuator
|
|
221
|
+
management.endpoints.web.exposure.include=health,info
|
|
222
|
+
management.endpoint.health.show-details=never
|
|
223
|
+
```
|
|
224
|
+
|
|
225
|
+
---
|
|
226
|
+
|
|
227
|
+
## TLS/SSL Misconfiguration
|
|
228
|
+
|
|
229
|
+
### Insecure Patterns
|
|
230
|
+
|
|
231
|
+
```python
|
|
232
|
+
# VULNERABLE: SSL verification disabled
|
|
233
|
+
requests.get(url, verify=False)
|
|
234
|
+
urllib3.disable_warnings()
|
|
235
|
+
|
|
236
|
+
# VULNERABLE: Weak TLS versions
|
|
237
|
+
ssl_context.minimum_version = ssl.TLSVersion.TLSv1 # Use TLS 1.2+
|
|
238
|
+
|
|
239
|
+
# VULNERABLE: Weak cipher suites
|
|
240
|
+
ssl_context.set_ciphers('ALL')
|
|
241
|
+
ssl_context.set_ciphers('DEFAULT')
|
|
242
|
+
```
|
|
243
|
+
|
|
244
|
+
### Secure Configuration
|
|
245
|
+
|
|
246
|
+
```python
|
|
247
|
+
# SAFE: Proper TLS configuration
|
|
248
|
+
import ssl
|
|
249
|
+
|
|
250
|
+
context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
|
|
251
|
+
context.minimum_version = ssl.TLSVersion.TLSv1_2
|
|
252
|
+
context.set_ciphers('ECDHE+AESGCM:DHE+AESGCM:ECDHE+CHACHA20')
|
|
253
|
+
context.verify_mode = ssl.CERT_REQUIRED
|
|
254
|
+
context.check_hostname = True
|
|
255
|
+
```
|
|
256
|
+
|
|
257
|
+
---
|
|
258
|
+
|
|
259
|
+
## Directory Listing
|
|
260
|
+
|
|
261
|
+
### Dangerous Patterns
|
|
262
|
+
|
|
263
|
+
```nginx
|
|
264
|
+
# VULNERABLE: Directory listing enabled
|
|
265
|
+
# Nginx
|
|
266
|
+
autoindex on;
|
|
267
|
+
|
|
268
|
+
# Apache
|
|
269
|
+
Options +Indexes
|
|
270
|
+
|
|
271
|
+
# Python
|
|
272
|
+
python -m http.server # Lists directories by default
|
|
273
|
+
```
|
|
274
|
+
|
|
275
|
+
### Secure Configuration
|
|
276
|
+
|
|
277
|
+
```nginx
|
|
278
|
+
# SAFE: Directory listing disabled
|
|
279
|
+
# Nginx
|
|
280
|
+
autoindex off;
|
|
281
|
+
|
|
282
|
+
# Apache
|
|
283
|
+
Options -Indexes
|
|
284
|
+
```
|
|
285
|
+
|
|
286
|
+
---
|
|
287
|
+
|
|
288
|
+
## Verbose Error Messages
|
|
289
|
+
|
|
290
|
+
### Dangerous Patterns
|
|
291
|
+
|
|
292
|
+
```python
|
|
293
|
+
# VULNERABLE: Detailed errors in response
|
|
294
|
+
@app.errorhandler(Exception)
|
|
295
|
+
def handle_error(e):
|
|
296
|
+
return jsonify({
|
|
297
|
+
'error': str(e),
|
|
298
|
+
'traceback': traceback.format_exc(),
|
|
299
|
+
'query': last_executed_query,
|
|
300
|
+
'config': app.config
|
|
301
|
+
}), 500
|
|
302
|
+
|
|
303
|
+
# VULNERABLE: Stack traces exposed
|
|
304
|
+
app.config['PROPAGATE_EXCEPTIONS'] = True
|
|
305
|
+
```
|
|
306
|
+
|
|
307
|
+
### Secure Error Handling
|
|
308
|
+
|
|
309
|
+
```python
|
|
310
|
+
# SAFE: Generic error messages
|
|
311
|
+
@app.errorhandler(Exception)
|
|
312
|
+
def handle_error(e):
|
|
313
|
+
app.logger.error(f"Error: {e}", exc_info=True) # Log details server-side
|
|
314
|
+
return jsonify({'error': 'An unexpected error occurred'}), 500
|
|
315
|
+
```
|
|
316
|
+
|
|
317
|
+
---
|
|
318
|
+
|
|
319
|
+
## Cookie Security
|
|
320
|
+
|
|
321
|
+
### Insecure Patterns
|
|
322
|
+
|
|
323
|
+
```python
|
|
324
|
+
# VULNERABLE: Insecure cookie settings
|
|
325
|
+
response.set_cookie('session', value) # Missing flags
|
|
326
|
+
|
|
327
|
+
# VULNERABLE: Explicit insecure flags
|
|
328
|
+
response.set_cookie('session', value, secure=False, httponly=False, samesite='None')
|
|
329
|
+
```
|
|
330
|
+
|
|
331
|
+
### Secure Cookie Configuration
|
|
332
|
+
|
|
333
|
+
```python
|
|
334
|
+
# SAFE: Secure cookie settings
|
|
335
|
+
response.set_cookie(
|
|
336
|
+
'session',
|
|
337
|
+
value,
|
|
338
|
+
secure=True, # HTTPS only
|
|
339
|
+
httponly=True, # No JavaScript access
|
|
340
|
+
samesite='Lax', # CSRF protection
|
|
341
|
+
max_age=3600, # Reasonable expiration
|
|
342
|
+
path='/',
|
|
343
|
+
domain='.example.com'
|
|
344
|
+
)
|
|
345
|
+
|
|
346
|
+
# Flask session configuration
|
|
347
|
+
app.config['SESSION_COOKIE_SECURE'] = True
|
|
348
|
+
app.config['SESSION_COOKIE_HTTPONLY'] = True
|
|
349
|
+
app.config['SESSION_COOKIE_SAMESITE'] = 'Lax'
|
|
350
|
+
```
|
|
351
|
+
|
|
352
|
+
---
|
|
353
|
+
|
|
354
|
+
## Permissive File Permissions
|
|
355
|
+
|
|
356
|
+
### Dangerous Patterns
|
|
357
|
+
|
|
358
|
+
```python
|
|
359
|
+
# VULNERABLE: World-readable sensitive files
|
|
360
|
+
os.chmod(config_file, 0o777)
|
|
361
|
+
os.chmod(private_key, 0o644)
|
|
362
|
+
|
|
363
|
+
# VULNERABLE: Overly permissive umask
|
|
364
|
+
os.umask(0o000)
|
|
365
|
+
```
|
|
366
|
+
|
|
367
|
+
### Secure Permissions
|
|
368
|
+
|
|
369
|
+
```python
|
|
370
|
+
# SAFE: Restrictive permissions
|
|
371
|
+
os.chmod(config_file, 0o600) # Owner read/write only
|
|
372
|
+
os.chmod(private_key, 0o400) # Owner read only
|
|
373
|
+
os.chmod(script, 0o700) # Owner execute only
|
|
374
|
+
```
|
|
375
|
+
|
|
376
|
+
---
|
|
377
|
+
|
|
378
|
+
## HTTP Methods
|
|
379
|
+
|
|
380
|
+
### Dangerous Patterns
|
|
381
|
+
|
|
382
|
+
```python
|
|
383
|
+
# VULNERABLE: All methods allowed
|
|
384
|
+
@app.route('/api/data', methods=['GET', 'POST', 'PUT', 'DELETE', 'TRACE', 'OPTIONS'])
|
|
385
|
+
|
|
386
|
+
# VULNERABLE: TRACE method enabled (XST attacks)
|
|
387
|
+
# VULNERABLE: Unnecessary methods on sensitive endpoints
|
|
388
|
+
```
|
|
389
|
+
|
|
390
|
+
### Secure Configuration
|
|
391
|
+
|
|
392
|
+
```python
|
|
393
|
+
# SAFE: Explicit method restrictions
|
|
394
|
+
@app.route('/api/data', methods=['GET'])
|
|
395
|
+
def get_data():
|
|
396
|
+
pass
|
|
397
|
+
|
|
398
|
+
@app.route('/api/data', methods=['POST'])
|
|
399
|
+
@require_auth
|
|
400
|
+
def create_data():
|
|
401
|
+
pass
|
|
402
|
+
```
|
|
403
|
+
|
|
404
|
+
---
|
|
405
|
+
|
|
406
|
+
## Grep Patterns for Detection
|
|
407
|
+
|
|
408
|
+
```bash
|
|
409
|
+
# Debug mode
|
|
410
|
+
grep -rn "debug.*=.*[Tt]rue\|DEBUG.*=.*[Tt]rue" --include="*.py" --include="*.js" --include="*.json"
|
|
411
|
+
|
|
412
|
+
# CORS wildcards
|
|
413
|
+
grep -rn "Access-Control-Allow-Origin.*\*\|origins.*\*\|origin.*\*" --include="*.py" --include="*.js"
|
|
414
|
+
|
|
415
|
+
# SSL verification disabled
|
|
416
|
+
grep -rn "verify.*=.*[Ff]alse\|rejectUnauthorized.*false\|NODE_TLS_REJECT_UNAUTHORIZED" --include="*.py" --include="*.js"
|
|
417
|
+
|
|
418
|
+
# Default credentials
|
|
419
|
+
grep -rn "password.*=.*['\"]admin\|password.*=.*['\"]root\|password.*=.*['\"]123456" --include="*.py" --include="*.yaml" --include="*.yml"
|
|
420
|
+
|
|
421
|
+
# Missing security headers (check for absence)
|
|
422
|
+
grep -rn "after_request\|middleware" --include="*.py" | grep -v "X-Content-Type-Options\|X-Frame-Options"
|
|
423
|
+
|
|
424
|
+
# Exposed endpoints
|
|
425
|
+
grep -rn "@app.route.*debug\|@app.route.*admin\|@app.route.*config\|/actuator" --include="*.py" --include="*.java"
|
|
426
|
+
```
|
|
427
|
+
|
|
428
|
+
---
|
|
429
|
+
|
|
430
|
+
## References
|
|
431
|
+
|
|
432
|
+
- [OWASP Security Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration/)
|
|
433
|
+
- [OWASP HTTP Security Headers](https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html)
|
|
434
|
+
- [OWASP TLS Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Security_Cheat_Sheet.html)
|
|
435
|
+
- [CWE-16: Configuration](https://cwe.mitre.org/data/definitions/16.html)
|