create-agentic-app 1.1.56 → 1.1.58

package/template/.claude/skills/security-scanner/references/A07-authentication-failures.md

@@ -0,0 +1,150 @@
+# A07:2025 — Authentication Failures
+
+## Overview
+
+Authentication Failures is #7 in OWASP Top 10:2025. It encompasses 36 CWEs with 1,120,673 total occurrences and 7,147 CVEs. Authentication failures occur when systems incorrectly validate user identity, allowing attackers to compromise passwords, keys, session tokens, or exploit implementation flaws to assume other users' identities.
+
+## Key CWEs
+
+- **CWE-259**: Use of Hard-coded Password
+- **CWE-287**: Improper Authentication
+- **CWE-297**: Improper Validation of Certificate with Host Mismatch
+- **CWE-307**: Improper Restriction of Excessive Authentication Attempts
+- **CWE-384**: Session Fixation
+- **CWE-521**: Weak Password Requirements
+- **CWE-613**: Insufficient Session Expiration
+- **CWE-798**: Use of Hard-coded Credentials
+- **CWE-640**: Weak Password Recovery Mechanism
+
+## What to Look For
+
+### General Patterns
+- Weak session token generation (predictable, sequential, or base64-encoded user data)
+- Sessions that never expire or have excessively long lifetimes
+- Credentials appearing in URLs, logs, or error messages
+- No password strength requirements
+- Session cookies without `HttpOnly`, `Secure`, or `SameSite` flags
+- User enumeration via different error responses (valid vs invalid username)
+- Password reset tokens returned in API responses (should be sent via email/SMS only)
+- Reset tokens that don't expire or can be reused
+- Missing multi-factor authentication on critical operations
+- Hard-coded credentials in source code
+- Custom authentication instead of using established frameworks
+- Sessions not invalidated on logout or password change
+
+### Grep Patterns
+
+```
+# Session/token generation
+session|sessionId|session_id|sessionToken
+token.*=.*base64|token.*=.*encode|token.*=.*Math\.random
+uuid.*v1|Date\.now.*toString
+
+# Session cookie flags
+httpOnly|HttpOnly|http_only
+secure\s*:|Secure|secure.*false
+sameSite|SameSite|same_site
+
+# Session expiration
+maxAge|max_age|expires|expiry|SESSION_LIFETIME
+session.*timeout|session.*expire
+
+# User enumeration
+user.*not.*found|invalid.*user|no.*account|email.*not.*registered
+incorrect.*password|wrong.*password|invalid.*credentials
+
+# Password in logs/URLs
+console\.log.*password|logger.*password|log.*password
+password.*=.*req\.query|password.*=.*params
+
+# Hard-coded credentials
+password.*=.*['"][^'"]+['"]|credential.*=.*['"]
+admin.*admin|root.*root|test.*test
+DEFAULT_PASSWORD|ADMIN_PASSWORD
+
+# Reset tokens
+resetToken|reset_token|verification_token|verificationToken
+token.*response|json.*token.*reset
+```
+
+### JavaScript / TypeScript / Node.js
+- Session token built as `Buffer.from(userId + ':' + timestamp).toString('base64')` — trivially decodable
+- `Math.random()` used for session or reset tokens
+- Cookie set without `{ httpOnly: true, secure: true, sameSite: 'strict' }`
+- Login endpoint returns different messages for "user not found" vs "wrong password"
+- `console.log` including password or token values
+- Reset token returned directly in JSON response body
+- No session invalidation in logout handler
+
+### Python (Django/Flask)
+- Custom session management instead of Django's built-in
+- `SESSION_COOKIE_HTTPONLY = False` or `SESSION_COOKIE_SECURE = False`
+- Different error messages for invalid username vs invalid password
+- Flask `session.permanent = True` without `PERMANENT_SESSION_LIFETIME`
+
+### Java (Spring)
+- `HttpSession` without timeout configuration
+- Custom `AuthenticationProvider` without proper credential validation
+- Missing `invalidateHttpSession(true)` in logout configuration
+- `BCryptPasswordEncoder` with low strength parameter
+
+## Prevention Measures
+
+1. Implement multi-factor authentication to counter automated attacks
+2. Never ship with default or hard-coded credentials
+3. Validate passwords against breached credential databases (Have I Been Pwned)
+4. Follow NIST 800-63b guidelines for password policies
+5. Harden registration and login endpoints against enumeration and brute-force
+6. Use consistent, generic error messages ("Invalid credentials" for all auth failures)
+7. Rate-limit failed login attempts with logging and alerting
+8. Use secure, server-side session managers with high-entropy session IDs
+9. Set session cookies with `HttpOnly`, `Secure`, `SameSite=Strict`
+10. Invalidate sessions on logout and password change
+11. Use established authentication frameworks rather than building custom solutions
+12. Send reset tokens only via email/SMS — never return them in API responses
+
+## Example Attack Scenarios
+
+**Scenario 1 — Credential Stuffing:** Attacker uses known username/password pairs from breaches, modified with predictable patterns (Winter2025 → Winter2026). Without brute-force protection, the app becomes a password oracle.
+
+**Scenario 2 — Session Hijacking:** Session cookie set without `HttpOnly` flag. XSS vulnerability allows JavaScript to read `document.cookie` and send session token to attacker's server.
+
+**Scenario 3 — Session Persistence:** User closes browser without explicit logout. Session is never invalidated server-side. Next user on shared device accesses the previous user's authenticated session.
+
+## Fix Examples
+
+**Before (user enumeration):**
+```typescript
+if (!user) return Response.json({ error: 'User not found' }, { status: 401 });
+if (!validPassword) return Response.json({ error: 'Incorrect password' }, { status: 401 });
+```
+
+**After (consistent error message):**
+```typescript
+if (!user || !validPassword) {
+  return Response.json({ error: 'Invalid credentials' }, { status: 401 });
+}
+```
+
+**Before (insecure session cookie):**
+```typescript
+response.cookies.set('session', token, { httpOnly: false, path: '/' });
+```
+
+**After (secure session cookie):**
+```typescript
+response.cookies.set('session', token, {
+  httpOnly: true,
+  secure: true,
+  sameSite: 'strict',
+  maxAge: 3600,
+  path: '/'
+});
+```
+
+## References
+
+- [OWASP A07:2025](https://owasp.org/Top10/2025/A07_2025-Authentication_Failures/)
+- OWASP Authentication Cheat Sheet
+- OWASP Session Management Cheat Sheet
+- NIST SP 800-63b Digital Identity Guidelines

package/template/.claude/skills/security-scanner/references/A08-software-data-integrity-failures.md

@@ -0,0 +1,132 @@
+# A08:2025 — Software or Data Integrity Failures
+
+## Overview
+
+Software or Data Integrity Failures is #8 in OWASP Top 10:2025. This category covers failures to maintain trust boundaries and verify that software, code, and data are trustworthy before treating them as valid. It encompasses 14 CWEs with 501,327 total occurrences and 3,331 CVEs. Key concerns include insecure deserialization, code execution from untrusted sources, and CI/CD pipeline integrity.
+
+## Key CWEs
+
+- **CWE-502**: Deserialization of Untrusted Data
+- **CWE-829**: Inclusion of Functionality from Untrusted Control Sphere
+- **CWE-915**: Improperly Controlled Modification of Dynamically-Determined Object Attributes
+- **CWE-494**: Download of Code Without Integrity Check
+- **CWE-345**: Insufficient Verification of Data Authenticity
+- **CWE-353**: Missing Support for Integrity Check
+
+## What to Look For
+
+### General Patterns
+- Deserialization of untrusted data (user-submitted serialized objects)
+- `eval()` or `Function()` executing user-provided code
+- CDN/external scripts loaded without Subresource Integrity (SRI) hashes
+- Auto-update mechanisms without signature verification
+- CI/CD pipelines without integrity verification steps
+- Unsigned firmware or software packages
+- Object property injection via mass assignment
+- Dynamic code generation from untrusted input
+- Missing digital signatures on critical data exchanges
+
+### Grep Patterns
+
+```
+# Deserialization
+deserialize|unserialize|pickle\.load|yaml\.load|readObject
+JSON\.parse.*req\.|JSON\.parse.*body|JSON\.parse.*user
+ObjectInputStream|Marshal\.load|php.*unserialize
+fromJson.*untrusted|Gson.*fromJson
+
+# Code execution
+eval\(|Function\(|new Function|vm\.runInContext
+exec\(|execSync\(|compile\(
+setTimeout\(.*['"]|setInterval\(.*['"]
+
+# CDN without integrity
+<script.*src=.*http|<link.*href=.*http
+integrity=|crossorigin=
+
+# Mass assignment / prototype pollution
+Object\.assign\(.*req\.|\.\.\.req\.body|Object\.merge
+__proto__|prototype\[|constructor\[
+
+# Auto-update without verification
+update.*download|download.*update|auto.*update
+checksum|signature|verify.*hash|gpg.*verify
+```
+
+### JavaScript / TypeScript / Node.js
+- `eval(req.body.data)` or `new Function(req.body.code)()` — executes arbitrary user code
+- `JSON.parse()` on untrusted input without schema validation (prototype pollution risk)
+- `Object.assign(target, req.body)` — mass assignment allows property injection
+- External `<script>` or `<link>` tags without `integrity` attribute
+- `__proto__` or `constructor.prototype` manipulation via user input
+
+### Python
+- `pickle.load()` or `yaml.load()` (without `Loader=SafeLoader`) on untrusted data
+- `eval()` or `exec()` with user input
+- `marshal.load()` on untrusted data
+
+### Java
+- `ObjectInputStream.readObject()` without input validation — Java deserialization attacks
+- `XMLDecoder` with untrusted XML
+- Libraries like Apache Commons Collections with known gadget chains
+
+## Prevention Measures
+
+1. Use digital signatures to verify software and data source authenticity
+2. Restrict library/dependency consumption to trusted, vetted repositories
+3. Use tools like OWASP Dependency Check to verify components are free of known vulnerabilities
+4. Enforce code review processes to minimize malicious code introduction
+5. Ensure CI/CD pipeline has proper segregation, configuration, and access controls
+6. Never deserialize untrusted data — or use serialization formats that don't allow code execution (JSON instead of Java serialization, `yaml.safe_load` instead of `yaml.load`)
+7. Add Subresource Integrity (SRI) to all externally loaded scripts/styles
+8. Validate and sanitize all input before processing
+
+## Example Attack Scenarios
+
+**Scenario 1:** External service provider gains access to authentication cookies through DNS mapping, enabling session hijacking.
+
+**Scenario 2:** Unsigned firmware update on router/device used as attack vector with no remediation path.
+
+**Scenario 3:** Developers install packages from untrusted sources lacking signature verification, introducing malware.
+
+**Scenario 4:** Java deserialization attack — attacker crafts malicious serialized object that executes arbitrary code upon deserialization.
+
+## Fix Examples
+
+**Before (eval with user input):**
+```typescript
+export async function POST(req) {
+  const { data } = await req.json();
+  const result = eval(data); // Arbitrary code execution
+  return Response.json({ result });
+}
+```
+
+**After (safe data processing):**
+```typescript
+export async function POST(req) {
+  const { data } = await req.json();
+  const parsed = JSON.parse(data); // Parse as data only, never as code
+  const validated = schema.parse(parsed); // Validate against schema
+  return Response.json({ result: processData(validated) });
+}
+```
+
+**Before (Python pickle deserialization):**
+```python
+import pickle
+data = pickle.loads(request.data)  # Arbitrary code execution
+```
+
+**After (safe deserialization):**
+```python
+import json
+data = json.loads(request.data)  # JSON cannot execute code
+validated = DataSchema(**data)    # Validate against schema
+```
+
+## References
+
+- [OWASP A08:2025](https://owasp.org/Top10/2025/A08_2025-Software_or_Data_Integrity_Failures/)
+- OWASP Cheat Sheet: Deserialization
+- OWASP ASVS: Data Integrity

package/template/.claude/skills/security-scanner/references/A09-security-logging-alerting-failures.md

@@ -0,0 +1,130 @@
+# A09:2025 — Security Logging and Alerting Failures
+
+## Overview
+
+Security Logging and Alerting Failures is #9 in OWASP Top 10:2025. This category covers insufficient logging, monitoring, and alerting that prevent detection of security breaches. It maps to 5 CWEs with 723 CVEs. Real-world impact is severe: a healthcare provider went 7 years undetected after a breach affecting 3.5M records; a major airline suffered a decade-long data breach at a third-party provider.
+
+## Key CWEs
+
+- **CWE-117**: Improper Output Neutralization for Logs
+- **CWE-221**: Information Loss or Omission
+- **CWE-223**: Omission of Security-relevant Information
+- **CWE-532**: Insertion of Sensitive Information into Log File
+- **CWE-778**: Insufficient Logging
+
+## What to Look For
+
+### General Patterns
+- Sensitive data written to logs (passwords, tokens, credit cards, PII, session IDs)
+- Missing audit logging for security-relevant events (login, failed auth, privilege changes, data access)
+- No logging on authentication failures or access control failures
+- Error messages that expose sensitive information to end users
+- Logs without timestamps, request IDs, or sufficient context for forensics
+- Log files stored without integrity protection (can be tampered with)
+- No centralized log aggregation or monitoring
+- Missing alerting on suspicious patterns (brute force, unusual access)
+- Unencoded log entries vulnerable to log injection attacks
+- Logging only to console/stdout without persistence
+
+### Grep Patterns
+
+```
+# Sensitive data in logs
+console\.log.*password|console\.log.*token|console\.log.*secret
+console\.log.*session|console\.log.*cookie|console\.log.*key
+logger\.info.*password|logger\.debug.*token|log\.info.*credential
+print\(.*password|print\(.*token|logging\.info.*password
+
+# Missing security event logging
+login.*fail|auth.*fail|access.*denied|unauthorized
+audit|auditLog|audit_log|security_log|securityEvent
+
+# Log injection risk
+console\.log\(.*req\.|logger\.info\(.*req\.body|log\(.*user_input
+
+# Logging framework usage
+winston|bunyan|pino|morgan|log4js|logging|logger
+console\.log|console\.error|console\.warn
+
+# Error exposure to users
+res\.json.*err|response.*error.*message|render.*error.*stack
+```
+
+### JavaScript / TypeScript / Node.js
+- `console.log('Login attempt:', email, password)` — passwords in logs
+- `console.log('Session created:', sessionToken)` — tokens in logs
+- Using only `console.log` without a logging framework (no levels, no persistence, no structure)
+- Missing logging on failed authentication, failed authorization, and input validation failures
+- Error responses including `err.message` or `err.stack` sent to client
+
+### Python (Django/Flask)
+- `print(f"User {email} login with password {password}")` — passwords in logs
+- Missing `LOGGING` configuration in Django settings
+- No audit trail for admin actions
+- `logging.debug()` containing sensitive request data
+
+### Java (Spring)
+- `logger.info("Auth token: " + token)` — tokens in logs
+- Missing Spring Security audit events configuration
+- No `@EventListener` for `AuthenticationFailureBadCredentialsEvent`
+
+## Prevention Measures
+
+1. Log all authentication events (success and failure) with sufficient context for forensic analysis
+2. Log all access control failures and input validation failures
+3. Use structured, machine-readable log formats compatible with log management tools
+4. Encode log data properly to prevent log injection attacks
+5. Use append-only audit trails with integrity controls for critical events
+6. Never log sensitive data: passwords, tokens, credit card numbers, PII
+7. Establish monitoring and alerting for suspicious patterns (brute force, mass data access)
+8. Implement error-triggered transaction rollbacks where appropriate
+9. Use centralized log aggregation (ELK stack, Splunk, Datadog, etc.)
+10. Create incident response playbooks tied to alerting thresholds
+11. Ensure logs include timestamps, user IDs, IP addresses, and request context
+
+## Example Attack Scenarios
+
+**Scenario 1:** Healthcare provider breached for 7 years undetected due to absent monitoring — 3.5M children's health records compromised.
+
+**Scenario 2:** Major airline suffered a decade-long data breach at third-party cloud provider, discovered only through external investigation.
+
+**Scenario 3:** European airline fined EUR 20M under GDPR after payment system breach exposed 400,000+ customer records — insufficient logging delayed detection.
+
+## Fix Examples
+
+**Before (sensitive data in logs):**
+```typescript
+console.log(`Login attempt: ${email} / ${password}`);
+// ...
+console.log(`Session created: ${sessionToken}`);
+```
+
+**After (safe logging):**
+```typescript
+import { logger } from './logger';
+logger.info('Login attempt', { email, ip: req.ip, timestamp: new Date().toISOString() });
+// ...
+logger.info('Session created', { userId: user.id, ip: req.ip });
+// Never log passwords, tokens, or session IDs
+```
+
+**Before (no security event logging):**
+```typescript
+if (!user) return Response.json({ error: 'Invalid credentials' }, { status: 401 });
+```
+
+**After (with audit logging):**
+```typescript
+if (!user) {
+  logger.warn('Failed login attempt', { email, ip: req.ip, reason: 'user_not_found' });
+  return Response.json({ error: 'Invalid credentials' }, { status: 401 });
+}
+```
+
+## References
+
+- [OWASP A09:2025](https://owasp.org/Top10/2025/A09_2025-Security_Logging_and_Alerting_Failures/)
+- OWASP Proactive Controls: C9 Security Logging and Monitoring
+- OWASP Cheat Sheet: Application Logging Vocabulary
+- OWASP ASVS V16 Security Logging and Error Handling
+- NIST SP 800-61r2: Computer Security Incident Handling Guide

package/template/.claude/skills/security-scanner/references/A10-mishandling-exceptional-conditions.md

@@ -0,0 +1,154 @@
+# A10:2025 — Mishandling of Exceptional Conditions
+
+## Overview
+
+Mishandling of Exceptional Conditions is #10 in OWASP Top 10:2025 — a newly introduced category. It covers 24 CWEs with 769,581 total occurrences and 3,416 CVEs. This category addresses deficiencies in error management: programs that fail to prevent, detect, or respond to unusual and unpredictable situations. These failures threaten confidentiality (info disclosure), availability (denial of service), and integrity (data corruption).
+
+## Key CWEs
+
+- **CWE-209**: Generation of Error Message Containing Sensitive Information
+- **CWE-234**: Failure to Handle Missing Parameter
+- **CWE-274**: Improper Handling of Insufficient Privileges
+- **CWE-280**: Improper Handling of Insufficient Permissions
+- **CWE-476**: NULL Pointer Dereference
+- **CWE-636**: Not Failing Securely (Fail-Open)
+- **CWE-252**: Unchecked Return Value
+- **CWE-754**: Improper Check for Unusual or Exceptional Conditions
+- **CWE-755**: Improper Handling of Exceptional Conditions
+
+## What to Look For
+
+### General Patterns
+- Empty catch blocks that swallow errors silently
+- Generic error handling that hides root causes
+- Missing error handling on async operations (unhandled promise rejections)
+- Error responses that expose stack traces, SQL queries, or internal paths to users
+- Fail-open patterns: errors cause the system to grant access instead of denying it
+- Unchecked return values from security-critical functions
+- Missing error handling on file I/O, network calls, database operations
+- Partial transaction failures without rollback
+- Resource leaks when exceptions occur (file handles, DB connections, memory)
+- Missing global/unhandled exception handlers
+- Inconsistent error handling across the application
+
+### Grep Patterns
+
+```
+# Empty catch blocks
+catch\s*\([^)]*\)\s*\{\s*\}|catch\s*\(\s*\)\s*:|except\s*:.*pass
+catch.*\{\s*\/\/|catch.*\{\s*\n\s*\}
+
+# Stack trace / internal info exposure
+err\.stack|error\.stack|e\.getStackTrace|traceback
+err\.message|error\.message|e\.getMessage
+res\.json.*err|response.*stack|render.*error
+
+# Fail-open patterns
+catch.*return true|catch.*allow|catch.*grant|catch.*next\(\)
+catch.*continue|on_error.*pass|rescue.*true
+
+# Unhandled async
+\.then\((?!.*\.catch)|async.*(?!try)
+unhandledRejection|uncaughtException
+
+# Unchecked returns
+=\s*(await\s+)?.*\(.*\)\s*;?\s*$(?!.*if|.*\?|.*throw|.*return)
+
+# Resource cleanup
+finally|dispose|close|cleanup|release
+try.*open|try.*connect|try.*acquire
+```
+
+### JavaScript / TypeScript / Node.js
+- `catch (e) {}` — empty catch block, error silently swallowed
+- `catch (e) { return res.json({ error: e.message, stack: e.stack }) }` — info disclosure
+- Missing `.catch()` on Promises or missing try/catch around `await`
+- Express error middleware missing or exposing internals
+- `process.on('uncaughtException')` handler missing
+- Database/file operations without try/catch in async handlers
+
+### Python (Django/Flask)
+- `except: pass` or `except Exception: pass` — swallowing all errors
+- `traceback.format_exc()` returned in HTTP response
+- Missing `finally` blocks for resource cleanup
+- Django `DEBUG = True` in production exposing full tracebacks
+
+### Java (Spring)
+- Empty catch blocks: `catch (Exception e) {}`
+- `e.printStackTrace()` in production code
+- Missing `@ControllerAdvice` global exception handler
+- `@ExceptionHandler` returning `e.getMessage()` to client
+
+## Prevention Measures
+
+1. Catch and handle errors at their point of origin with meaningful responses
+2. Provide user-friendly error messages — never expose internal details
+3. Log all errors with sufficient context for debugging
+4. Use global exception handlers as a safety net for unhandled errors
+5. Roll back transactions completely on failure — no partial state
+6. Apply rate limiting and resource quotas to prevent resource exhaustion
+7. Implement proper resource cleanup in `finally` blocks
+8. Default to deny (fail-closed) — never grant access on error
+9. Conduct stress testing and penetration testing to find edge cases
+10. Aggregate repeated identical errors as statistics to prevent log flooding
+
+## Example Attack Scenarios
+
+**Scenario 1 — Denial of Service:** File upload exception leaves resources unreleased. Repeated uploads exhaust system resources, causing downtime until restart.
+
+**Scenario 2 — Information Disclosure:** Database error message exposes table names, column names, and query structure. Attacker uses this to craft targeted SQL injection attacks.
+
+**Scenario 3 — Financial Transaction Compromise:** Network interruption during multi-step transfer. Missing rollback allows attacker to drain accounts or create duplicate transfers.
+
+## Fix Examples
+
+**Before (empty catch + info disclosure):**
+```typescript
+try {
+  const results = db.all(query);
+  return Response.json(results);
+} catch (e) {
+  return Response.json({ error: e.message, sql: query, stack: e.stack });
+}
+```
+
+**After (proper error handling):**
+```typescript
+try {
+  const results = db.all(query);
+  return Response.json(results);
+} catch (e) {
+  logger.error('Database query failed', { error: e.message, query, stack: e.stack });
+  return Response.json({ error: 'An internal error occurred' }, { status: 500 });
+}
+```
+
+**Before (fail-open):**
+```typescript
+try {
+  const isAuthorized = await checkPermission(user, resource);
+  if (!isAuthorized) return deny();
+} catch (e) {
+  // Auth service is down, let them through
+}
+return allow();
+```
+
+**After (fail-closed):**
+```typescript
+try {
+  const isAuthorized = await checkPermission(user, resource);
+  if (!isAuthorized) return deny();
+  return allow();
+} catch (e) {
+  logger.error('Authorization check failed', { user: user.id, resource, error: e.message });
+  return deny(); // Default to deny on error
+}
+```
+
+## References
+
+- [OWASP A10:2025](https://owasp.org/Top10/2025/A10_2025-Mishandling_of_Exceptional_Conditions/)
+- OWASP Error Handling Cheat Sheet
+- OWASP Logging Cheat Sheet
+- OWASP ASVS V16.5 Error Handling