skillstore-cli 1.0.0

package/data/shared/framework/skills/security-audit/references/owasp-checklist.md

@@ -0,0 +1,580 @@
+# OWASP Top 10 (2021) — Security Audit Checklist
+
+Comprehensive checklist with detection techniques, vulnerable code examples, and remediation patterns for each OWASP Top 10 category.
+
+---
+
+## A01: Broken Access Control
+
+The most common web application vulnerability. Occurs when users can act outside their intended permissions.
+
+### What to Look For
+- **IDOR (Insecure Direct Object Reference):** User-controlled IDs in URLs/request bodies without ownership verification
+- **Horizontal privilege escalation:** User A accessing User B's resources
+- **Vertical privilege escalation:** Regular user accessing admin functionality
+- **Missing function-level access control:** Endpoints without authentication/authorization middleware
+- **Metadata manipulation:** Tampering with JWTs, cookies, or hidden fields to elevate privileges
+
+### Vulnerable Code Example (IDOR)
+```javascript
+// VULNERABLE: No ownership check — any authenticated user can access any profile
+app.get('/api/users/:id/profile', authenticate, async (req, res) => {
+  const profile = await db.query('SELECT * FROM profiles WHERE user_id = $1', [req.params.id]);
+  res.json(profile.rows[0]);
+});
+```
+
+### Fix: Middleware-Based RBAC
+```javascript
+// SECURE: Ownership verification + role-based access control
+const authorizeResource = (resourceType) => async (req, res, next) => {
+  const resourceId = req.params.id;
+  const userId = req.user.id;
+  const userRole = req.user.role;
+
+  // Admins bypass ownership check
+  if (userRole === 'admin') return next();
+
+  // Verify resource ownership
+  const resource = await db.query(
+    `SELECT owner_id FROM ${resourceType} WHERE id = $1`,
+    [resourceId]
+  );
+
+  if (!resource.rows[0] || resource.rows[0].owner_id !== userId) {
+    return res.status(403).json({ error: 'Access denied' });
+  }
+
+  next();
+};
+
+app.get('/api/users/:id/profile', authenticate, authorizeResource('profiles'), async (req, res) => {
+  const profile = await db.query('SELECT * FROM profiles WHERE user_id = $1', [req.params.id]);
+  res.json(profile.rows[0]);
+});
+```
+
+### Checklist
+- [ ] Every endpoint has authentication middleware
+- [ ] Every data-access endpoint verifies resource ownership
+- [ ] Role checks are enforced server-side, not just UI-hidden
+- [ ] Directory listing is disabled on static file servers
+- [ ] CORS is restricted to known origins
+- [ ] JWT claims are validated on every request
+
+---
+
+## A02: Cryptographic Failures
+
+Sensitive data exposed due to weak or missing cryptography.
+
+### What to Look For
+- **Weak hashing:** MD5 or SHA-1 for passwords
+- **Plaintext storage:** Passwords, API keys, or PII stored unencrypted in database
+- **Insecure TLS:** TLS 1.0/1.1, weak cipher suites, missing HSTS
+- **Hardcoded secrets:** API keys or credentials in source code
+- **Insufficient key management:** Encryption keys in environment variables without rotation
+
+### Vulnerable Code Example
+```javascript
+// VULNERABLE: MD5 is cryptographically broken for password hashing
+const crypto = require('crypto');
+const hashedPassword = crypto.createHash('md5').update(password).digest('hex');
+await db.query('INSERT INTO users (email, password) VALUES ($1, $2)', [email, hashedPassword]);
+```
+
+### Fix: Proper Password Hashing
+```javascript
+// SECURE: Argon2id with appropriate parameters
+const argon2 = require('argon2');
+
+// Hashing
+const hashedPassword = await argon2.hash(password, {
+  type: argon2.argon2id,
+  memoryCost: 65536,    // 64 MB
+  timeCost: 3,          // 3 iterations
+  parallelism: 4
+});
+
+// Verification
+const isValid = await argon2.verify(hashedPassword, candidatePassword);
+```
+
+### Fix: TLS Configuration (Node.js)
+```javascript
+const tls = require('tls');
+const server = https.createServer({
+  key: fs.readFileSync('private-key.pem'),
+  cert: fs.readFileSync('certificate.pem'),
+  minVersion: 'TLSv1.2',
+  cipherSuites: 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256',
+  honorCipherOrder: true
+});
+```
+
+### Checklist
+- [ ] Passwords hashed with Argon2id or bcrypt (cost factor >= 12)
+- [ ] No MD5 or SHA-1 used for any security purpose
+- [ ] TLS 1.2+ enforced, TLS 1.0/1.1 disabled
+- [ ] HSTS header set with max-age >= 31536000 and includeSubDomains
+- [ ] Sensitive data encrypted at rest (AES-256-GCM)
+- [ ] No secrets in source code or version control
+
+---
+
+## A03: Injection
+
+Untrusted data sent to an interpreter as part of a command or query.
+
+### What to Look For
+- **SQL injection:** String concatenation in queries
+- **NoSQL injection:** Unvalidated operators in MongoDB queries
+- **Command injection:** User input passed to shell commands
+- **XSS (Reflected):** User input reflected in HTML without encoding
+- **XSS (Stored):** User-submitted content rendered without sanitization
+- **XSS (DOM):** Client-side JavaScript using untrusted data in dangerous sinks
+
+### Vulnerable Code: SQL Injection
+```javascript
+// VULNERABLE: String interpolation creates injection point
+app.get('/api/search', async (req, res) => {
+  const results = await db.query(`SELECT * FROM products WHERE name LIKE '%${req.query.q}%'`);
+  res.json(results.rows);
+});
+// Attack: /api/search?q=' OR 1=1; DROP TABLE products; --
+```
+
+### Fix: Parameterized Queries
+```javascript
+// SECURE: Parameterized query prevents injection
+app.get('/api/search', async (req, res) => {
+  const results = await db.query(
+    'SELECT * FROM products WHERE name LIKE $1',
+    [`%${req.query.q}%`]
+  );
+  res.json(results.rows);
+});
+```
+
+### Vulnerable Code: NoSQL Injection
+```javascript
+// VULNERABLE: User can pass { "$gt": "" } to bypass authentication
+app.post('/api/login', async (req, res) => {
+  const user = await User.findOne({ email: req.body.email, password: req.body.password });
+});
+```
+
+### Fix: Input Type Enforcement
+```javascript
+// SECURE: Enforce string type + use hashed password comparison
+app.post('/api/login', async (req, res) => {
+  if (typeof req.body.email !== 'string' || typeof req.body.password !== 'string') {
+    return res.status(400).json({ error: 'Invalid input' });
+  }
+  const user = await User.findOne({ email: req.body.email });
+  if (!user || !(await argon2.verify(user.passwordHash, req.body.password))) {
+    return res.status(401).json({ error: 'Invalid credentials' });
+  }
+});
+```
+
+### Vulnerable Code: Command Injection
+```javascript
+// VULNERABLE: User input passed directly to shell
+const { exec } = require('child_process');
+app.get('/api/ping', (req, res) => {
+  exec(`ping -c 3 ${req.query.host}`, (error, stdout) => res.send(stdout));
+});
+// Attack: /api/ping?host=; cat /etc/passwd
+```
+
+### Fix: Use Safe APIs
+```javascript
+// SECURE: execFile does not invoke a shell
+const { execFile } = require('child_process');
+const validator = require('validator');
+
+app.get('/api/ping', (req, res) => {
+  if (!validator.isIP(req.query.host) && !validator.isFQDN(req.query.host)) {
+    return res.status(400).json({ error: 'Invalid host' });
+  }
+  execFile('ping', ['-c', '3', req.query.host], (error, stdout) => res.send(stdout));
+});
+```
+
+### XSS Fix: Context-Specific Output Encoding
+```javascript
+// React: JSX auto-escapes by default — avoid dangerouslySetInnerHTML
+// If raw HTML is required, sanitize first:
+import DOMPurify from 'dompurify';
+const SafeContent = ({ html }) => (
+  <div dangerouslySetInnerHTML={{ __html: DOMPurify.sanitize(html) }} />
+);
+```
+
+### Checklist
+- [ ] All SQL queries use parameterized statements (no string concatenation)
+- [ ] NoSQL queries enforce input types before querying
+- [ ] No user input passed to exec(), eval(), or similar interpreters
+- [ ] User-generated content sanitized before rendering (DOMPurify for HTML)
+- [ ] Content-Security-Policy header blocks inline scripts
+
+---
+
+## A04: Insecure Design
+
+Security flaws rooted in missing or ineffective design-level controls, not implementation bugs.
+
+### What to Look For
+- **Missing rate limiting:** Login, password reset, or API endpoints without throttling
+- **Business logic flaws:** Price manipulation, workflow bypass, race conditions
+- **Missing threat modeling:** No consideration of abuse scenarios during design
+- **Inadequate separation of privilege:** Single token grants access to everything
+
+### Fix: Threat Modeling Checklist
+For every new feature, answer:
+1. What data does this feature handle? What is its sensitivity classification?
+2. Who should access this? What are the trust boundaries?
+3. What happens if input is malicious? (SQL/XSS/command injection, overflow, type confusion)
+4. What happens if the user calls this 10,000 times per second?
+5. What happens if requests arrive in an unexpected order? (race conditions, TOCTOU)
+6. What happens if this feature is used in a way we didn't intend? (business logic abuse)
+7. Can we detect and alert on abuse of this feature?
+
+### Fix: Rate Limiting Implementation
+```javascript
+const rateLimit = require('express-rate-limit');
+
+const loginLimiter = rateLimit({
+  windowMs: 15 * 60 * 1000,   // 15-minute window
+  max: 5,                      // 5 attempts per window
+  message: { error: 'Too many login attempts. Try again in 15 minutes.' },
+  standardHeaders: true,
+  legacyHeaders: false,
+  keyGenerator: (req) => req.body.email || req.ip,  // Per-account limiting
+});
+
+app.post('/api/auth/login', loginLimiter, loginHandler);
+```
+
+### Checklist
+- [ ] Threat model exists for authentication, payments, and data-access features
+- [ ] Rate limiting on login, registration, password reset, and API endpoints
+- [ ] Business logic validated server-side (prices, quantities, permissions)
+- [ ] Race conditions mitigated with database-level locking or idempotency keys
+
+---
+
+## A05: Security Misconfiguration
+
+Default, incomplete, or ad-hoc configurations that leave the application vulnerable.
+
+### What to Look For
+- **Default credentials:** Unchanged admin passwords on databases, dashboards, or services
+- **Verbose error messages:** Stack traces or internal paths exposed to users
+- **Unnecessary features:** Debug endpoints, sample applications, unused HTTP methods
+- **Missing security headers:** No CSP, HSTS, X-Frame-Options, etc.
+- **Permissive cloud IAM:** Overly broad S3 policies, wildcard permissions
+
+### Fix: Hardening Checklist
+- [ ] Remove or disable debug endpoints and sample code in production
+- [ ] Error responses return generic messages; details logged server-side only
+- [ ] All default credentials changed; enforce strong passwords
+- [ ] Unnecessary HTTP methods disabled (TRACE, OPTIONS if unused)
+- [ ] Security headers set: CSP, HSTS, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy
+- [ ] Cloud IAM follows least-privilege principle
+- [ ] Directory listing disabled
+- [ ] Server version headers removed (X-Powered-By)
+
+```javascript
+// Express security headers with helmet
+const helmet = require('helmet');
+app.use(helmet({
+  contentSecurityPolicy: {
+    directives: {
+      defaultSrc: ["'self'"],
+      scriptSrc: ["'self'"],
+      styleSrc: ["'self'", "'unsafe-inline'"],
+      imgSrc: ["'self'", "data:", "https:"],
+      connectSrc: ["'self'"],
+      fontSrc: ["'self'"],
+      objectSrc: ["'none'"],
+      frameSrc: ["'none'"],
+    },
+  },
+  hsts: { maxAge: 31536000, includeSubDomains: true, preload: true },
+  referrerPolicy: { policy: 'strict-origin-when-cross-origin' },
+}));
+```
+
+---
+
+## A06: Vulnerable and Outdated Components
+
+Using libraries, frameworks, or components with known vulnerabilities.
+
+### What to Look For
+- **Outdated dependencies:** npm packages, Python packages, container base images with known CVEs
+- **Unmaintained libraries:** No updates in 12+ months with open security issues
+- **Transitive vulnerabilities:** Vulnerable sub-dependencies you don't directly control
+
+### Fix: Dependency Scanning Pipeline
+```yaml
+# GitHub Actions workflow for dependency scanning
+name: Security Scan
+on:
+  pull_request:
+    branches: [main]
+  schedule:
+    - cron: '0 6 * * 1'  # Weekly Monday scan
+
+jobs:
+  dependency-scan:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - run: npm audit --audit-level=high
+      - uses: snyk/actions/node@master
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+      - uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'fs'
+          severity: 'HIGH,CRITICAL'
+          exit-code: '1'
+```
+
+### Checklist
+- [ ] `npm audit` / `pip audit` runs in CI and blocks on high/critical
+- [ ] Dependabot or Renovate enabled for automated dependency PRs
+- [ ] Container base images pinned to specific digests and scanned with Trivy
+- [ ] License compliance checked (no copyleft in proprietary code)
+
+---
+
+## A07: Identification and Authentication Failures
+
+Weaknesses in authentication mechanisms that allow attackers to compromise credentials or sessions.
+
+### What to Look For
+- **Credential stuffing:** No protection against automated login attempts with leaked credentials
+- **Weak password policy:** Allows short or common passwords
+- **Session fixation:** Session ID not regenerated after login
+- **Missing MFA:** High-privilege accounts without multi-factor authentication
+- **Insecure password recovery:** Security questions, predictable tokens
+
+### Fix: Secure Authentication Checklist
+```javascript
+// Secure session configuration (express-session)
+app.use(session({
+  secret: process.env.SESSION_SECRET,    // Strong random secret from env
+  name: '__Host-sid',                    // __Host- prefix enforces Secure + Path=/
+  resave: false,
+  saveUninitialized: false,
+  cookie: {
+    httpOnly: true,       // Not accessible via JavaScript
+    secure: true,         // HTTPS only
+    sameSite: 'lax',      // CSRF protection
+    maxAge: 3600000,      // 1 hour
+    path: '/',
+  },
+  store: new RedisStore({ client: redisClient }),  // Server-side session store
+}));
+
+// Regenerate session on login to prevent session fixation
+app.post('/api/auth/login', loginLimiter, async (req, res) => {
+  const user = await authenticateUser(req.body.email, req.body.password);
+  if (!user) return res.status(401).json({ error: 'Invalid credentials' });
+
+  req.session.regenerate((err) => {
+    if (err) return res.status(500).json({ error: 'Session error' });
+    req.session.userId = user.id;
+    req.session.role = user.role;
+    res.json({ success: true });
+  });
+});
+```
+
+### Checklist
+- [ ] Rate limiting on authentication endpoints (5 attempts / 15 min)
+- [ ] Password policy: minimum 12 characters, checked against breached passwords (HaveIBeenPwned API)
+- [ ] Session regenerated on login, invalidated on logout
+- [ ] MFA available for all users, required for admin/privileged roles
+- [ ] Password reset tokens are single-use, time-limited (< 1 hour), and cryptographically random
+
+---
+
+## A08: Software and Data Integrity Failures
+
+Assumptions about software updates, critical data, or CI/CD pipelines without verifying integrity.
+
+### What to Look For
+- **Unsigned updates:** Application or plugin updates without signature verification
+- **CI/CD pipeline poisoning:** Untrusted code execution in build pipelines
+- **Insecure deserialization:** Deserializing untrusted data (Java ObjectInputStream, Python pickle, Node.js node-serialize)
+- **Dependency confusion:** Internal package names squatted on public registries
+
+### Fix: Integrity Verification
+```javascript
+// Verify webhook signatures (e.g., Stripe)
+const crypto = require('crypto');
+
+function verifyWebhookSignature(payload, signature, secret) {
+  const expectedSignature = crypto
+    .createHmac('sha256', secret)
+    .update(payload, 'utf8')
+    .digest('hex');
+
+  return crypto.timingConstantEqual(
+    Buffer.from(signature),
+    Buffer.from(`sha256=${expectedSignature}`)
+  );
+}
+```
+
+### Checklist
+- [ ] CI/CD pipelines use pinned action versions (hash, not tag)
+- [ ] Artifact signing enabled for deployments
+- [ ] No deserialization of untrusted data (avoid `eval()`, `pickle.loads()`, `unserialize()`)
+- [ ] Subresource Integrity (SRI) for CDN-loaded scripts
+- [ ] `.npmrc` configured with `registry` pointing to private registry when applicable
+
+---
+
+## A09: Security Logging and Monitoring Failures
+
+Insufficient logging and monitoring prevent detection of breaches and active attacks.
+
+### What to Look For
+- **Missing audit logs:** Login attempts, access control failures, input validation failures not logged
+- **Log injection:** User input written to logs without sanitization
+- **No alerting:** No automated alerts on suspicious patterns
+- **Insufficient log retention:** Logs rotated before incident investigation can occur
+
+### Fix: Structured Security Logging
+```javascript
+const winston = require('winston');
+
+const securityLogger = winston.createLogger({
+  level: 'info',
+  format: winston.format.combine(
+    winston.format.timestamp({ format: 'ISO' }),
+    winston.format.json()
+  ),
+  defaultMeta: { service: 'security-audit' },
+  transports: [
+    new winston.transports.File({ filename: 'security-events.log' }),
+  ],
+});
+
+// Log security events with structured data
+function logSecurityEvent(event) {
+  // Sanitize user-controlled fields to prevent log injection
+  const sanitized = {
+    ...event,
+    userAgent: event.userAgent?.replace(/[\r\n]/g, ''),
+    email: event.email?.replace(/[\r\n]/g, ''),
+  };
+
+  securityLogger.info('security_event', sanitized);
+}
+
+// Usage examples
+logSecurityEvent({
+  type: 'AUTH_FAILURE',
+  email: req.body.email,
+  ip: req.ip,
+  userAgent: req.headers['user-agent'],
+  reason: 'invalid_password',
+});
+
+logSecurityEvent({
+  type: 'ACCESS_DENIED',
+  userId: req.user.id,
+  resource: req.originalUrl,
+  method: req.method,
+  ip: req.ip,
+});
+```
+
+### Checklist
+- [ ] Authentication events logged: success, failure, lockout, password change
+- [ ] Authorization failures logged with user ID, resource, and action
+- [ ] Input validation failures logged (potential injection attempts)
+- [ ] Log injection prevented (newline stripping, structured logging)
+- [ ] Alerts configured for: 10+ auth failures in 5 min, admin access from new IP, privilege escalation
+- [ ] Log retention >= 90 days (or per compliance: SOC 2 = 1 year, PCI-DSS = 1 year)
+
+---
+
+## A10: Server-Side Request Forgery (SSRF)
+
+Application fetches a remote resource using a user-supplied URL without validation.
+
+### What to Look For
+- **Internal network access:** Fetching URLs that resolve to internal IPs (127.0.0.1, 10.x, 169.254.169.254)
+- **Cloud metadata access:** SSRF to cloud metadata endpoints (AWS IMDSv1: http://169.254.169.254)
+- **Protocol smuggling:** file://, gopher://, dict:// protocol handlers
+- **DNS rebinding:** Domain resolving to internal IP after validation
+
+### Vulnerable Code
+```javascript
+// VULNERABLE: User-controlled URL fetched without validation
+app.post('/api/fetch-url', async (req, res) => {
+  const response = await fetch(req.body.url);
+  const data = await response.text();
+  res.json({ content: data });
+});
+```
+
+### Fix: URL Validation and Allowlisting
+```javascript
+const { URL } = require('url');
+const dns = require('dns').promises;
+const ipaddr = require('ipaddr.js');
+
+const ALLOWED_PROTOCOLS = ['https:'];
+const BLOCKED_IP_RANGES = ['private', 'loopback', 'linkLocal', 'uniqueLocal'];
+
+async function validateUrl(urlString) {
+  // Parse and validate protocol
+  let parsed;
+  try { parsed = new URL(urlString); }
+  catch { throw new Error('Invalid URL'); }
+
+  if (!ALLOWED_PROTOCOLS.includes(parsed.protocol)) {
+    throw new Error('Protocol not allowed');
+  }
+
+  // Resolve DNS and check IP is not internal
+  const addresses = await dns.resolve4(parsed.hostname);
+  for (const addr of addresses) {
+    const ip = ipaddr.parse(addr);
+    const range = ip.range();
+    if (BLOCKED_IP_RANGES.includes(range)) {
+      throw new Error('Internal addresses not allowed');
+    }
+  }
+
+  return parsed.toString();
+}
+
+app.post('/api/fetch-url', async (req, res) => {
+  try {
+    const safeUrl = await validateUrl(req.body.url);
+    const response = await fetch(safeUrl, { redirect: 'error' });
+    const data = await response.text();
+    res.json({ content: data });
+  } catch (err) {
+    res.status(400).json({ error: err.message });
+  }
+});
+```
+
+### Checklist
+- [ ] All outbound HTTP requests validate destination URLs
+- [ ] Internal/private IP ranges blocked at application and network level
+- [ ] Cloud metadata endpoint blocked (169.254.169.254) — use IMDSv2 with hop limit
+- [ ] Only HTTPS protocol allowed for user-supplied URLs
+- [ ] Redirect following disabled or limited to prevent SSRF via redirect
+- [ ] Network segmentation: application servers cannot reach internal admin interfaces