@vetala/vetala 0.1.0-beta

package/skill/code-security-audit/references/vulnerability_patterns.md

@@ -0,0 +1,813 @@
+# Vulnerability Patterns
+
+Concrete code-level vulnerability patterns organized by category. Synthesized from OWASP ASVS 5.0.0, API Security Top 10 2023, CheatSheet Series, and WSTG test scenarios.
+
+## Table of Contents
+
+- [1. Injection](#1-injection)
+- [2. Broken Authentication](#2-broken-authentication)
+- [3. Broken Authorization](#3-broken-authorization)
+- [4. Sensitive Data Exposure](#4-sensitive-data-exposure)
+- [5. Security Misconfiguration](#5-security-misconfiguration)
+- [6. Cross-Site Scripting (XSS)](#6-cross-site-scripting-xss)
+- [7. Insecure Deserialization](#7-insecure-deserialization)
+- [8. Server-Side Request Forgery (SSRF)](#8-server-side-request-forgery-ssrf)
+- [9. Cryptographic Failures](#9-cryptographic-failures)
+- [10. Mass Assignment](#10-mass-assignment)
+- [11. File Handling](#11-file-handling)
+- [12. Business Logic](#12-business-logic)
+- [13. Prototype Pollution](#13-prototype-pollution)
+- [14. Server-Side Template Injection](#14-server-side-template-injection)
+- [15. Improper API Inventory](#15-improper-api-inventory)
+- [16. Cross-Site Request Forgery (CSRF)](#16-cross-site-request-forgery-csrf)
+- [17. XML External Entity (XXE)](#17-xml-external-entity-xxe)
+- [18. Open Redirect](#18-open-redirect)
+- [19. GraphQL Security](#19-graphql-security)
+
+---
+
+## 1. Injection
+
+**ASVS**: V1.2 | **API Top 10**: API10:2023 | **WSTG**: WSTG-INPV-05, WSTG-INPV-06, WSTG-INPV-07, WSTG-INPV-12
+
+### SQL Injection
+
+```yaml
+vulnerable_patterns:
+  - pattern: "String concatenation in SQL queries"
+    indicators:
+      - "\"SELECT * FROM users WHERE id = \" + userId"
+      - "f\"SELECT * FROM {table} WHERE id = {id}\""
+      - "`SELECT * FROM users WHERE id = ${req.params.id}`"
+      - "\"SELECT * FROM users WHERE id = '\" + request.getParameter(\"id\") + \"'\""
+    languages: [JavaScript, Python, Java, PHP, C#, Ruby, Go]
+
+  - pattern: "Dynamic table/column names from user input"
+    indicators:
+      - "ORDER BY {user_input}"
+      - "SELECT {user_columns} FROM"
+      - "table name from request parameter"
+
+  - pattern: "ORM raw query methods with interpolation"
+    indicators:
+      - "sequelize.query(`SELECT ... ${input}`)"
+      - "ActiveRecord.execute(\"SELECT ... #{input}\")"
+      - "EntityManager.createNativeQuery(\"SELECT ... \" + input)"
+      - "db.raw(`SELECT ... ${input}`)"
+
+safe_patterns:
+  - "Parameterized queries: db.query('SELECT * FROM users WHERE id = $1', [userId])"
+  - "ORM methods: User.findById(userId), User.where(id: userId)"
+  - "Query builder: knex('users').where('id', userId)"
+```
+
+### NoSQL Injection
+
+```yaml
+vulnerable_patterns:
+  - pattern: "User input directly in NoSQL query objects"
+    indicators:
+      - "db.collection.find({ username: req.body.username, password: req.body.password })"
+      - "$where with user input"
+      - "JSON.parse(user_input) used in query"
+    attack: "{ \"password\": { \"$ne\": \"\" } } bypasses password check"
+
+safe_patterns:
+  - "Explicit field extraction: { username: String(req.body.username) }"
+  - "Schema validation before query construction"
+  - "mongo-sanitize or similar input sanitization library"
+```
+
+### OS Command Injection
+
+```yaml
+vulnerable_patterns:
+  - pattern: "Shell command with user input"
+    indicators:
+      - "exec(`ping ${host}`)"
+      - "os.system(f'ping {host}')"
+      - "Runtime.exec(\"ping \" + host)"
+      - "shell_exec('ping ' . $host)"
+      - "subprocess.call(cmd, shell=True) with user data in cmd"
+
+safe_patterns:
+  - "subprocess.run(['ping', host], shell=False)"
+  - "execFile('ping', [host]) instead of exec()"
+  - "ProcessBuilder with argument list"
+```
+
+### LDAP Injection
+
+```yaml
+vulnerable_patterns:
+  - pattern: "String concatenation in LDAP filter"
+    indicators:
+      - "\"(uid=\" + username + \")\""
+      - "f\"(cn={name})\""
+
+safe_patterns:
+  - "LDAP filter escaping: ldap.filter.escape_filter_chars(username)"
+  - "Parameterized LDAP search libraries"
+```
+
+---
+
+## 2. Broken Authentication
+
+**ASVS**: V6, V7, V9 | **API Top 10**: API2:2023 | **WSTG**: WSTG-ATHN-01 to WSTG-ATHN-10
+
+### Weak Password Storage
+
+```yaml
+vulnerable_patterns:
+  - pattern: "Plaintext or weak hash for passwords"
+    indicators:
+      - "password = req.body.password (stored directly)"
+      - "md5(password), sha1(password), sha256(password) for password storage"
+      - "hashlib.md5(password.encode()).hexdigest()"
+      - "DigestUtils.md5Hex(password)"
+      - "No salt used with hash function"
+
+safe_patterns:
+  - "bcrypt.hash(password, saltRounds)"
+  - "argon2.hash(password)"
+  - "PBKDF2 with >= 600,000 iterations for SHA-256"
+  - "scrypt with appropriate parameters"
+```
+
+### JWT Vulnerabilities
+
+```yaml
+vulnerable_patterns:
+  - pattern: "Algorithm confusion / none algorithm"
+    indicators:
+      - "jwt.decode(token, algorithms=['none'])"
+      - "jwt.verify(token, secret) without specifying algorithms"
+      - "{\"alg\":\"none\"} accepted"
+
+  - pattern: "Weak signing secret"
+    indicators:
+      - "jwt.sign(payload, 'secret')"
+      - "Short or guessable JWT secret"
+      - "Hardcoded JWT secret in source code"
+
+  - pattern: "Missing validation"
+    indicators:
+      - "jwt.decode without verify=True"
+      - "Expiration (exp) not checked"
+      - "Issuer (iss) or audience (aud) not validated"
+
+safe_patterns:
+  - "jwt.verify(token, publicKey, { algorithms: ['RS256'], issuer: 'expected', audience: 'expected' })"
+  - "Strong secret from environment variable, >= 256 bits"
+  - "Short expiration time (15 min for access tokens)"
+```
+
+### Brute Force / Rate Limiting Gaps
+
+```yaml
+vulnerable_patterns:
+  - pattern: "No rate limiting on authentication endpoints"
+    indicators:
+      - "Login endpoint without rate limiter middleware"
+      - "Password reset without throttling"
+      - "OTP verification without attempt limiting"
+      - "GraphQL batching bypasses rate limit (multiple login mutations in one request)"
+
+safe_patterns:
+  - "express-rate-limit or similar middleware on /login, /register, /reset-password"
+  - "Account lockout after N failed attempts"
+  - "CAPTCHA after repeated failures"
+  - "GraphQL query complexity/depth limiting"
+```
+
+---
+
+## 3. Broken Authorization
+
+**ASVS**: V8 | **API Top 10**: API1:2023, API3:2023, API5:2023 | **WSTG**: WSTG-ATHZ-01 to WSTG-ATHZ-04
+
+### Missing Object-Level Authorization (BOLA)
+
+```yaml
+vulnerable_patterns:
+  - pattern: "Data accessed by user-supplied ID without ownership check"
+    indicators:
+      - "User.findById(req.params.id) without checking req.user.id === record.ownerId"
+      - "GET /api/users/:id returns any user's data"
+      - "DELETE /api/orders/:orderId without verifying order belongs to requester"
+      - "GraphQL resolver fetches by ID without authorization filter"
+
+safe_patterns:
+  - "User.findOne({ _id: req.params.id, ownerId: req.user.id })"
+  - "Policy/guard layer that checks resource ownership before handler"
+  - "WHERE user_id = :currentUserId in every data query"
+```
+
+### Missing Function-Level Authorization (BFLA)
+
+```yaml
+vulnerable_patterns:
+  - pattern: "Administrative endpoints without role checks"
+    indicators:
+      - "/api/admin/* routes without admin middleware"
+      - "HTTP method change bypasses auth (GET allowed but DELETE also works)"
+      - "Route exists but no @Authorize, @Roles, or guard decorator"
+      - "Admin check only on frontend, not backend"
+
+safe_patterns:
+  - "router.use('/admin', requireRole('admin'))"
+  - "@PreAuthorize('hasRole(\"ADMIN\")')"
+  - "Centralized authorization middleware applied to all routes"
+```
+
+### Broken Object Property Level Authorization
+
+```yaml
+vulnerable_patterns:
+  - pattern: "Full object returned without field filtering"
+    indicators:
+      - "res.json(user) — returns all fields including password hash, role, internal IDs"
+      - "to_json(), to_dict(), serialize() without field selection"
+      - "GraphQL type exposes all model fields"
+
+  - pattern: "Mass assignment via unfiltered request body"
+    indicators:
+      - "User.create(req.body) — attacker can set role: 'admin'"
+      - "Object.assign(user, req.body)"
+      - "user.update(request.data) without field allowlist"
+
+safe_patterns:
+  - "Explicit field selection: { name: user.name, email: user.email }"
+  - "DTO/serializer pattern with allowed fields"
+  - "Allowlist: const allowed = pick(req.body, ['name', 'email'])"
+```
+
+---
+
+## 4. Sensitive Data Exposure
+
+**ASVS**: V14, V12 | **API Top 10**: API3:2023 | **WSTG**: WSTG-ATHN-01, WSTG-CONF-09
+
+```yaml
+vulnerable_patterns:
+  - pattern: "Secrets in source code"
+    indicators:
+      - "const API_KEY = 'sk-live-...'"
+      - "password = 'hardcoded_password'"
+      - "AWS_SECRET_ACCESS_KEY in code file"
+      - ".env file committed to git"
+    search: ["API_KEY", "SECRET", "PASSWORD", "TOKEN", "PRIVATE_KEY", "AWS_", "sk-live", "ghp_"]
+
+  - pattern: "Sensitive data in logs"
+    indicators:
+      - "console.log('User login:', { username, password })"
+      - "logger.info(f'Request body: {request.body}')"
+      - "Log.d(\"Token: \" + authToken)"
+
+  - pattern: "Sensitive data in URLs"
+    indicators:
+      - "GET /api/users?token=abc123"
+      - "redirect_url contains session token"
+      - "API key in query string"
+
+  - pattern: "Disabled TLS verification"
+    indicators:
+      - "verify=False (Python requests)"
+      - "rejectUnauthorized: false (Node.js)"
+      - "InsecureSkipVerify: true (Go)"
+      - "CURLOPT_SSL_VERIFYPEER => false (PHP)"
+
+safe_patterns:
+  - "Environment variables or secrets manager for all credentials"
+  - "Structured logging with sensitive field redaction"
+  - "Sensitive data in request body (POST), not URL"
+  - "TLS verification always enabled"
+```
+
+---
+
+## 5. Security Misconfiguration
+
+**ASVS**: V13, V3 | **API Top 10**: API8:2023 | **WSTG**: WSTG-CONF-01 to WSTG-CONF-11
+
+```yaml
+vulnerable_patterns:
+  - pattern: "Debug mode in production"
+    indicators:
+      - "DEBUG = True (Django)"
+      - "app.debug = True (Flask)"
+      - "NODE_ENV not set to 'production'"
+      - "Spring Boot actuator endpoints exposed"
+
+  - pattern: "CORS misconfiguration"
+    indicators:
+      - "Access-Control-Allow-Origin: *"
+      - "cors({ origin: true }) — allows any origin"
+      - "Origin header reflected without validation"
+      - "Access-Control-Allow-Credentials: true with wildcard origin"
+
+  - pattern: "Missing security headers"
+    indicators:
+      - "No X-Content-Type-Options header"
+      - "No Content-Security-Policy header"
+      - "No Strict-Transport-Security header"
+      - "X-Powered-By header present (framework fingerprinting)"
+
+  - pattern: "Verbose error responses"
+    indicators:
+      - "Stack trace in HTTP response"
+      - "Database error details in API response"
+      - "Framework default error page in production"
+
+safe_patterns:
+  - "helmet() middleware (Express), SecurityMiddleware (Django)"
+  - "Custom error handler returning generic messages"
+  - "CORS with explicit origin allowlist"
+  - "X-Powered-By header removed"
+```
+
+---
+
+## 6. Cross-Site Scripting (XSS)
+
+**ASVS**: V1.2, V3.5 | **API Top 10**: API8:2023 | **WSTG**: WSTG-INPV-01, WSTG-INPV-02
+
+```yaml
+vulnerable_patterns:
+  - pattern: "Reflected/Stored XSS"
+    indicators:
+      - "innerHTML = userInput"
+      - "dangerouslySetInnerHTML={{ __html: userInput }}"
+      - "document.write(location.hash)"
+      - "<%- userInput %> (EJS unescaped)"
+      - "{{ userInput | safe }} (Jinja2/Nunjucks raw)"
+      - "|raw (Twig), Html.Raw() (Razor), {!! $var !!} (Blade)"
+      - "v-html=\"userInput\" (Vue)"
+
+  - pattern: "DOM-based XSS"
+    indicators:
+      - "element.innerHTML = location.search"
+      - "document.write(document.referrer)"
+      - "eval(window.name)"
+      - "setTimeout(userInput)"
+      - "jQuery.html(userInput), $(selector).append(userInput)"
+
+  - pattern: "XSS in URL context"
+    indicators:
+      - "href=\"javascript:\" + userInput"
+      - "<a href={userInput}> without protocol validation"
+      - "window.location = userInput"
+
+safe_patterns:
+  - "textContent instead of innerHTML"
+  - "Framework auto-escaping (React JSX, Angular templates, Vue {{ }})"
+  - "DOMPurify.sanitize(userInput) for rich text"
+  - "URL validation: only http/https protocols allowed"
+  - "CSP header restricting inline scripts"
+```
+
+---
+
+## 7. Insecure Deserialization
+
+**ASVS**: V1.3.2 | **WSTG**: WSTG-INPV-11
+
+```yaml
+vulnerable_patterns:
+  - pattern: "Untrusted deserialization"
+    indicators:
+      - "pickle.loads(user_data) (Python)"
+      - "yaml.load(user_data) without SafeLoader (Python)"
+      - "ObjectInputStream.readObject() on untrusted data (Java)"
+      - "unserialize($user_data) (PHP)"
+      - "JSON.parse() on large or deeply nested data without limits"
+      - "Marshal.load(user_data) (Ruby)"
+      - "BinaryFormatter.Deserialize (C#)"
+
+safe_patterns:
+  - "yaml.safe_load() (Python)"
+  - "JSON with schema validation and size limits"
+  - "Typed deserialization with allowlist of classes"
+  - "No native serialization for untrusted input"
+```
+
+---
+
+## 8. Server-Side Request Forgery (SSRF)
+
+**ASVS**: V1.3.6, V15.3.2 | **API Top 10**: API7:2023 | **WSTG**: WSTG-INPV-19
+
+```yaml
+vulnerable_patterns:
+  - pattern: "URL from user input used in server-side request"
+    indicators:
+      - "fetch(req.body.url)"
+      - "requests.get(user_provided_url)"
+      - "HttpClient.GetAsync(url_from_input)"
+      - "Image download from user-provided URL"
+      - "Webhook URL provided by user"
+      - "URL preview/unfurl feature"
+    targets:
+      - "http://169.254.169.254/latest/meta-data/ (cloud metadata)"
+      - "http://localhost:PORT (internal services)"
+      - "file:///etc/passwd (local files)"
+
+safe_patterns:
+  - "URL allowlist for permitted domains"
+  - "DNS resolution check (reject private IP ranges: 10.x, 172.16-31.x, 192.168.x, 127.x, 169.254.x)"
+  - "Disable HTTP redirects on server-side requests"
+  - "Separate network zone for URL fetching service"
+  - "Protocol allowlist (only http/https)"
+```
+
+---
+
+## 9. Cryptographic Failures
+
+**ASVS**: V11 | **WSTG**: WSTG-CRYP-01 to WSTG-CRYP-04
+
+```yaml
+vulnerable_patterns:
+  - pattern: "Weak or deprecated algorithms"
+    indicators:
+      - "DES, 3DES, RC4, Blowfish for encryption"
+      - "MD5, SHA-1 for security-sensitive hashing"
+      - "RSA with key < 2048 bits"
+      - "ECB mode for block cipher"
+
+  - pattern: "Hardcoded cryptographic material"
+    indicators:
+      - "const key = Buffer.from('0123456789abcdef')"
+      - "iv = b'\\x00' * 16"
+      - "Hardcoded salt value"
+
+  - pattern: "Insecure random number generation"
+    indicators:
+      - "Math.random() for tokens/secrets"
+      - "random.random() for security (Python)"
+      - "java.util.Random for security (Java)"
+      - "rand() for crypto (C/C++)"
+
+safe_patterns:
+  - "AES-256-GCM, ChaCha20-Poly1305"
+  - "crypto.randomBytes(32) (Node.js), secrets.token_hex(32) (Python)"
+  - "SecureRandom (Java), crypto/rand (Go)"
+  - "Keys from KMS or secure key store"
+```
+
+---
+
+## 10. Mass Assignment
+
+**ASVS**: V15.3.3 | **API Top 10**: API3:2023 | **WSTG**: WSTG-INPV-20
+
+```yaml
+vulnerable_patterns:
+  - pattern: "Direct binding of request body to model"
+    indicators:
+      - "User.create(req.body)"
+      - "user.update_attributes(params)"
+      - "Object.assign(model, req.body)"
+      - "spread operator: { ...existingData, ...req.body }"
+      - "@RequestBody User user without @JsonIgnore on sensitive fields"
+      - "form.populate_obj(model) without field restriction"
+
+  - pattern: "Dangerous fields not protected"
+    dangerous_fields: [role, isAdmin, is_staff, is_superuser, verified, email_verified, balance, permissions, password_hash]
+
+safe_patterns:
+  - "Explicit allowlist: const { name, email } = req.body"
+  - "DTO pattern with only permitted fields"
+  - "Rails strong parameters: params.require(:user).permit(:name, :email)"
+  - "Mongoose select: User.findByIdAndUpdate(id, { $set: { name, email } })"
+  - "@JsonIgnoreProperties on sensitive model fields"
+```
+
+---
+
+## 11. File Handling
+
+**ASVS**: V5 | **API Top 10**: API4:2023 | **WSTG**: WSTG-BUSL-08, WSTG-BUSL-09
+
+```yaml
+vulnerable_patterns:
+  - pattern: "Path traversal in file operations"
+    indicators:
+      - "fs.readFile(req.params.filename)"
+      - "open(os.path.join(base_dir, user_input))"
+      - "File download: '../../../etc/passwd' in filename param"
+
+  - pattern: "Unrestricted file upload"
+    indicators:
+      - "No file type validation (extension or content)"
+      - "Uploaded file served from web-accessible directory"
+      - "No file size limit"
+      - "Original filename used for storage"
+
+  - pattern: "File type validation by extension only"
+    indicators:
+      - "if filename.endswith('.jpg') — easily bypassed with .jpg.php"
+      - "Content-Type header trusted without content inspection"
+
+safe_patterns:
+  - "path.resolve() with base directory check"
+  - "Magic bytes validation (file-type library)"
+  - "Randomized storage filename, original name in metadata"
+  - "Separate storage domain for uploaded files"
+  - "File size limits in both server config and application code"
+```
+
+---
+
+## 12. Business Logic
+
+**ASVS**: V2.2 | **API Top 10**: API6:2023 | **WSTG**: WSTG-BUSL-01 to WSTG-BUSL-09
+
+```yaml
+vulnerable_patterns:
+  - pattern: "Missing rate limiting on sensitive business flows"
+    indicators:
+      - "Purchase/checkout endpoint without rate limit"
+      - "Referral/coupon endpoint abusable in bulk"
+      - "Reservation system without per-user limits"
+
+  - pattern: "Step skipping in multi-step flows"
+    indicators:
+      - "Payment confirmation endpoint callable without prior cart validation"
+      - "Account verification step bypassable by direct API call"
+
+  - pattern: "Negative number / boundary abuse"
+    indicators:
+      - "Negative quantity in purchase (credit instead of charge)"
+      - "Integer overflow in amount calculation"
+      - "Discount applied multiple times"
+
+safe_patterns:
+  - "Server-side state machine for multi-step flows"
+  - "Rate limiting per user per endpoint for business operations"
+  - "Positive value validation on all financial inputs"
+  - "Idempotency keys for critical operations"
+```
+
+---
+
+## 13. Prototype Pollution
+
+**ASVS**: V15.3.6 | **CheatSheet**: Prototype_Pollution_Prevention
+
+```yaml
+vulnerable_patterns:
+  - pattern: "Deep merge/extend with user input"
+    indicators:
+      - "_.merge({}, userInput)"
+      - "$.extend(true, {}, userInput)"
+      - "Recursive Object.assign with nested user input"
+      - "JSON.parse(userInput) with __proto__ key"
+
+  - pattern: "Direct property setting from user keys"
+    indicators:
+      - "obj[userKey] = userValue (if userKey = '__proto__')"
+      - "for (key in userInput) target[key] = userInput[key]"
+
+safe_patterns:
+  - "Object.create(null) for dictionary objects"
+  - "Map/Set instead of plain objects for user-keyed data"
+  - "Key validation: reject '__proto__', 'constructor', 'prototype'"
+  - "Object.freeze(Object.prototype) in startup (defense-in-depth)"
+```
+
+---
+
+## 14. Server-Side Template Injection
+
+**ASVS**: V1.2.11 | **WSTG**: WSTG-INPV-18
+
+```yaml
+vulnerable_patterns:
+  - pattern: "User input in template string"
+    indicators:
+      - "render_template_string(user_input) (Jinja2)"
+      - "new Template(user_input).render() (Freemarker)"
+      - "Handlebars.compile(user_input)"
+      - "ERB.new(user_input).result"
+      - "Template engine with user-controlled template name"
+
+  - pattern: "Template sandbox bypass"
+    indicators:
+      - "{{ config.items() }} (Jinja2 config access)"
+      - "{{ ''.__class__.__mro__[1].__subclasses__() }} (Python class traversal)"
+
+safe_patterns:
+  - "User data passed as template context, never as template source"
+  - "Logic-less templates (Mustache) for user-customizable templates"
+  - "Sandboxed template environment (Jinja2 SandboxedEnvironment)"
+```
+
+---
+
+## 15. Improper API Inventory
+
+**ASVS**: V13, V15.2 | **API Top 10**: API9:2023 | **WSTG**: WSTG-CONF-05, WSTG-CONF-06
+
+```yaml
+vulnerable_patterns:
+  - pattern: "Deprecated or undocumented API endpoints still active"
+    indicators:
+      - "Routes prefixed with /v1/, /old/, /legacy/ still reachable"
+      - "Commented-out routes re-enabled without review"
+      - "API version mismatch between documentation and deployed routes"
+      - "Swagger/OpenAPI spec does not match actual route definitions"
+
+  - pattern: "Shadow APIs and debug endpoints in production"
+    indicators:
+      - "/api/debug/*, /api/test/*, /api/internal/* accessible externally"
+      - "Spring Boot Actuator endpoints exposed (/actuator/env, /actuator/heapdump)"
+      - "GraphQL introspection enabled in production"
+      - "Admin endpoints without authentication or network restriction"
+      - "Health check endpoints leaking environment details"
+
+  - pattern: "Unmanaged API surface expansion"
+    indicators:
+      - "Dynamic route registration from user input or database"
+      - "Wildcard route handlers: app.all('*', handler)"
+      - "Auto-generated CRUD endpoints without explicit allowlist (e.g., Strapi, Hasura defaults)"
+      - "Third-party middleware exposing additional routes not in documentation"
+
+safe_patterns:
+  - "Centralized route registry with explicit endpoint declaration"
+  - "API gateway with route allowlist and version management"
+  - "OpenAPI/Swagger spec as single source of truth, validated against code"
+  - "Automated route inventory comparison in CI pipeline"
+  - "Network-level isolation for internal/debug endpoints"
+  - "Deprecation headers (Sunset, Deprecation) on phased-out endpoints"
+```
+
+---
+
+## 16. Cross-Site Request Forgery (CSRF)
+
+**ASVS**: V3.5.1, V3.5.2, V3.5.3 | **API Top 10**: API8:2023 | **WSTG**: WSTG-SESS-05
+
+```yaml
+vulnerable_patterns:
+  - pattern: "Cookie-based session without CSRF protection"
+    indicators:
+      - "Session cookie set without SameSite attribute"
+      - "POST/PUT/DELETE routes without CSRF token middleware"
+      - "csrf_exempt decorator on state-changing endpoints (Django)"
+      - "csurf middleware not applied (Express)"
+      - "@EnableWebSecurity without CsrfConfigurer (Spring)"
+      - "VerifyCsrfToken middleware excluded for routes (Laravel)"
+
+  - pattern: "CSRF token not validated server-side"
+    indicators:
+      - "CSRF token generated but never checked on submission"
+      - "Token comparison using timing-unsafe equality (== instead of constant-time)"
+      - "CSRF token stored in cookie without double-submit validation"
+
+  - pattern: "State-changing operations on safe HTTP methods"
+    indicators:
+      - "GET /api/transfer?amount=1000&to=attacker"
+      - "GET request triggers data deletion or modification"
+      - "Link-based actions that mutate server state"
+
+safe_patterns:
+  - "SameSite=Lax or Strict on session cookies"
+  - "CSRF token middleware: csurf (Express), CsrfViewMiddleware (Django), CsrfConfigurer (Spring)"
+  - "Double-submit cookie pattern with server-side validation"
+  - "Custom header requirement (X-Requested-With) for AJAX APIs"
+  - "State-changing operations use POST/PUT/PATCH/DELETE only"
+```
+
+---
+
+## 17. XML External Entity (XXE)
+
+**ASVS**: V1.5.1 | **WSTG**: WSTG-INPV-07
+
+```yaml
+vulnerable_patterns:
+  - pattern: "XML parser with external entity resolution enabled"
+    indicators:
+      java:
+        - "DocumentBuilderFactory without setFeature('http://apache.org/xml/features/disallow-doctype-decl', true)"
+        - "SAXParserFactory without disabling external entities"
+        - "XMLInputFactory without XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES set to false"
+        - "TransformerFactory without ACCESS_EXTERNAL_DTD set to empty string"
+        - "Unmarshaller (JAXB) processing untrusted XML without secure parser"
+      python:
+        - "lxml.etree.parse(user_input) with resolve_entities=True (default)"
+        - "xml.etree.ElementTree.parse(user_input) — safe by default, but xml.sax is not"
+        - "defusedxml not used for untrusted XML input"
+      php:
+        - "libxml_disable_entity_loader(false) or not called before parsing"
+        - "simplexml_load_string($user_input) without LIBXML_NOENT protection"
+        - "DOMDocument->loadXML($user_input) without disabling entity loading"
+      javascript:
+        - "xml2js parseString with default options (safe by default, but check for custom options)"
+        - "libxmljs.parseXml(input, { noent: true }) — enables entity expansion"
+        - "fast-xml-parser with entity processing enabled"
+      csharp:
+        - "XmlDocument.LoadXml(input) without XmlResolver set to null"
+        - "XmlTextReader without ProhibitDtd = true (older .NET)"
+        - "XmlReaderSettings without DtdProcessing = DtdProcessing.Prohibit"
+
+  - pattern: "SOAP/XML web service accepting raw XML"
+    indicators:
+      - "XML body parsed without schema validation"
+      - "SOAP endpoint accepting DTD declarations in request"
+
+safe_patterns:
+  - "Java: factory.setFeature('http://apache.org/xml/features/disallow-doctype-decl', true)"
+  - "Python: defusedxml.ElementTree.parse() or lxml with resolve_entities=False"
+  - "PHP: libxml_disable_entity_loader(true) before parsing"
+  - "C#: XmlReaderSettings { DtdProcessing = DtdProcessing.Prohibit }"
+  - "General: reject XML input containing <!DOCTYPE or <!ENTITY declarations"
+```
+
+---
+
+## 18. Open Redirect
+
+**ASVS**: V3.7.2 | **WSTG**: WSTG-CLNT-04
+
+```yaml
+vulnerable_patterns:
+  - pattern: "Redirect destination from user input without validation"
+    indicators:
+      - "res.redirect(req.query.url) (Express)"
+      - "redirect(request.GET['next']) (Django)"
+      - "Response.Redirect(Request.QueryString['returnUrl']) (ASP.NET)"
+      - "response.sendRedirect(request.getParameter('redirect')) (Java)"
+      - "header('Location: ' . $_GET['url']) (PHP)"
+      - "redirect_to(params[:return_to]) (Rails)"
+
+  - pattern: "URL validation bypass"
+    indicators:
+      - "url.startsWith('/') — bypassed with //evil.com (protocol-relative URL)"
+      - "url.includes('trusted.com') — bypassed with trusted.com.evil.com"
+      - "Regex matching hostname without anchoring: /trusted\\.com/"
+      - "Allowlist check on full URL instead of parsed hostname"
+
+  - pattern: "Indirect redirect via stored URL"
+    indicators:
+      - "User profile contains callback URL used in redirect after action"
+      - "OAuth redirect_uri not validated against registered URLs"
+      - "Email verification link with user-controlled return URL"
+
+safe_patterns:
+  - "Redirect only to relative paths: url.startsWith('/') && !url.startsWith('//')"
+  - "Allowlist of permitted redirect hostnames with URL parsing"
+  - "Parse URL and validate hostname against trusted domains: new URL(input).hostname"
+  - "Map-based redirect: redirect keys instead of raw URLs (e.g., ?next=dashboard → map['dashboard'])"
+  - "Warning page before external redirect"
+```
+
+---
+
+## 19. GraphQL Security
+
+**ASVS**: V4.3 | **API Top 10**: API4:2023, API8:2023 | **WSTG**: WSTG-APIT-01
+
+```yaml
+vulnerable_patterns:
+  - pattern: "Introspection enabled in production"
+    indicators:
+      - "introspection: true in GraphQL server config"
+      - "No conditional disabling based on NODE_ENV or environment variable"
+      - "__schema and __type queries return results in production"
+
+  - pattern: "No query depth or complexity limiting"
+    indicators:
+      - "graphql-depth-limit or equivalent library not installed"
+      - "No depthLimit, costLimit, or complexityLimit in server config"
+      - "Deeply nested queries possible: { user { friends { friends { friends { ... } } } } }"
+
+  - pattern: "Alias-based batching abuse"
+    indicators:
+      - "No limit on number of aliases per query"
+      - "Rate limiting bypassed via aliased mutations: { a1: login(...), a2: login(...), ... }"
+      - "Batch queries not counted individually for rate limiting"
+
+  - pattern: "Missing field-level authorization"
+    indicators:
+      - "Resolvers return full database objects without field filtering"
+      - "No @auth or @Authorized directive on sensitive fields"
+      - "User type exposes email, role, or internal IDs to all authenticated users"
+      - "Mutation resolvers lack ownership or role checks"
+
+  - pattern: "Information leakage via suggestions"
+    indicators:
+      - "GraphQL error messages suggest valid field names: 'Did you mean X?'"
+      - "Detailed validation errors expose schema structure"
+
+safe_patterns:
+  - "Disable introspection: introspection: process.env.NODE_ENV !== 'production'"
+  - "graphql-depth-limit: depthLimit(10)"
+  - "graphql-query-complexity: limit per query (e.g., max cost 1000)"
+  - "Alias/batch limiting: max aliases per query, count each operation for rate limiting"
+  - "Field-level auth: @auth directives, resolver-level permission checks"
+  - "Persisted queries: reject arbitrary queries in production, only accept pre-registered query hashes"
+  - "Disable field suggestions in production error messages"
+```