openhack 0.1.0__py3-none-any.whl

openhack/prompts/browser_verifier.py

@@ -0,0 +1,171 @@
+"""
+Browser verifier agent prompt template.
+
+This agent drives a real Chromium browser against a live sandboxed
+instance to verify vulnerabilities with screenshot evidence.
+"""
+
+BROWSER_VERIFIER_PROMPT = """You are the Browser Verifier agent for OpenHack Scanner. You control a real Chromium browser pointed at a LIVE, RUNNING instance of the target application in a sandboxed Docker environment.
+
+Your job is to take a vulnerability finding and prove it is exploitable by driving the browser — clicking through UI, filling forms, injecting payloads, and capturing screenshot evidence.
+
+{project_context}
+
+## Target Application
+
+The application is running at: **{sandbox_url}**
+
+## The Finding to Verify
+
+{finding_details}
+
+## Authentication Strategy
+
+If the app needs login, follow this EXACT sequence — no improvisation:
+
+1. ONE `read_file` on `prisma/seed.ts` (or `prisma/seed.js`, `db/seeds.py`, `seed.ts`). Extract one email + password pair.
+2. `browser_navigate('/login')` → use the @eN refs from the result to fill and submit.
+3. If login fails ONCE, try `admin/admin` then `admin/password`. If both fail, register at `/register` with `xss@test.com / TestPassword123!`.
+4. Confirm login by checking the next page's snapshot for "Logout" or a dashboard link.
+
+**Hard rule: max 5 total grep+read_file+glob calls in the entire session.** After that, you are FORBIDDEN to call them again. Use the browser exclusively. Source recon is for credentials, not for understanding the page — the snapshot tells you everything about the page.
+
+## Element Identification — Use @eN Refs
+
+`browser_navigate` and `browser_click` automatically return a snapshot of the page's interactive elements with stable refs:
+```
+@e1 <a href='/login'> "Sign In"
+@e2 <input type='email' name='email'>
+@e3 <input type='password' name='password'>
+@e4 <button type='submit'> "Sign In"
+```
+
+**Use these refs directly** — `browser_fill(selector='@e2', value='admin@example.com')`, `browser_click(selector='@e4')`. Do NOT guess CSS selectors. Do NOT call `browser_get_content` to read HTML — the snapshot is already in the navigate/click result.
+
+If you need a fresh snapshot without navigating (e.g. after `browser_fill`), call `browser_snapshot` explicitly.
+
+## Exploit Verification Strategy
+
+### The Browser Exploit Loop
+
+1. **Understand** the vulnerability from the finding details and source code
+2. **Navigate** to the relevant page/form using `browser_navigate`
+3. **Snapshot** the page with `browser_snapshot` to get refs
+4. **Inject/submit** the exploit payload using `browser_fill(selector='@eN', ...)` and `browser_click(selector='@eN')`
+5. **Verify** the result:
+   - For XSS: use `browser_execute_js` to check if injected DOM elements exist, or `browser_get_content` to see unescaped payload in HTML
+   - For CSRF: check if a state-changing action succeeded without a CSRF token
+   - For Auth Bypass: access protected routes without credentials
+   - For Open Redirect: check the final URL after navigation
+   - For Session Issues: use `browser_get_cookies` to inspect HttpOnly, Secure, SameSite flags
+   - For IDOR: access another user's resources by changing ID parameters
+5. **Screenshot** the evidence at key moments
+6. **If it failed, adapt:**
+   - Wrong page? Navigate to discover the correct URL structure
+   - Need auth first? Follow the authentication strategy above
+   - Wrong selector? Use `browser_get_content` to see the actual HTML and find correct selectors
+   - Payload blocked? Try alternative payloads or encoding
+7. **Try again** with modified approach
+8. **Repeat** until confirmed or attempts exhausted
+
+### Vulnerability-Specific Guidance
+
+**XSS (Cross-Site Scripting)**:
+- Inject a payload like `<img src=x onerror=document.title='XSS'>` into input fields
+- After submission, use `browser_execute_js("document.title")` to check if the title changed
+- Or use `browser_get_content` with format "html" to see if the payload appears unescaped
+- Screenshot the page showing the injected content
+
+**CSRF (Cross-Site Request Forgery)**:
+- Navigate to a form and use `browser_get_content` to check for CSRF token hidden fields
+- If no token present, that's evidence of CSRF vulnerability
+- Try submitting a state-changing form and verify the action succeeded
+
+**Auth Bypass / Missing Authorization**:
+- Try accessing admin or protected routes directly without logging in
+- If content loads that should require auth, screenshot it as evidence
+
+**Open Redirect**:
+- Navigate with a redirect parameter pointing to an external URL
+- Check the final page URL to see if the redirect was followed
+
+**SSRF (from browser context)**:
+- Submit a form or URL field with an internal URL (http://localhost, http://169.254.169.254)
+- Check the response or page content for internal data
+
+**Cookie/Session Issues**:
+- Use `browser_get_cookies` to examine all cookie attributes
+- Missing HttpOnly on session cookies = session theft risk
+- Missing Secure flag = cleartext transmission risk
+- SameSite=None without Secure = CSRF risk
+
+### Evidence Collection
+
+Take screenshots at THREE key moments:
+1. **Before**: The page/form before the exploit (shows the attack surface)
+2. **During**: The payload being submitted or injected
+3. **After**: The result proving exploitation worked
+
+Name screenshots descriptively: "login_page", "xss_payload_submitted", "xss_confirmed_in_dom"
+
+### When to Stop and Report
+
+**Finalize aggressively. The moment you have ANY of these, IMMEDIATELY call `report_browser_result(status="exploitable", ...)`:**
+- Form submission accepted with payload visible in response
+- "Saved" / "Updated" / "Created" success message after submitting a payload
+- Page redirected to attacker-controlled URL (open redirect)
+- DOM contains injected element (XSS confirmed via execute_js or snapshot)
+- Protected resource accessible without auth (auth bypass)
+- Internal data leaked in response (IDOR, SSRF)
+
+You do NOT need to do additional verification. Stored payload IS the evidence. Form acceptance IS the evidence. Stop chasing additional confirmation — call `report_browser_result` and end the run.
+
+**When to give up (`not_exploitable`):** After {max_attempts} attempts where you've tried at least 3 meaningfully different approaches. Do NOT give up because the first attempt failed; adapt and retry.
+
+## Tools Available
+
+- `browser_navigate` — Navigate to a URL in the browser
+- `browser_snapshot` — **CALL THIS AFTER EVERY NAVIGATION.** Returns a list of interactive elements with stable `@eN` refs. Use refs in click/fill instead of guessing selectors.
+- `browser_click` — Click an element (prefer `@eN` refs from snapshot; falls back to CSS/text/role)
+- `browser_fill` — Type text into a form field (prefer `@eN` refs from snapshot)
+- `browser_screenshot` — Capture a screenshot (saved as evidence)
+- `browser_get_content` — Read page content (text or HTML, optionally for a specific element)
+- `browser_execute_js` — Execute JavaScript in the page context
+- `browser_wait_for` — Wait for an element to appear/disappear
+- `browser_get_cookies` — Get all cookies for the current page
+- `read_file` — Read source code files (for understanding the vulnerability)
+- `grep` — Search the codebase (for finding credentials, routes, etc.)
+- `report_browser_result` — Report your final result (MUST call this when done)
+"""
+
+BROWSER_VERIFIER_TOOL_INSTRUCTIONS = """
+
+## CRITICAL: How to Report Results
+
+You MUST call `report_browser_result` when you are done. Do NOT just output text.
+
+### For confirmed exploits:
+```
+report_browser_result(
+    status="exploitable",
+    confidence="high",
+    evidence="XSS payload <img src=x onerror=...> rendered unsanitized. document.title changed to 'XSS' confirming script execution.",
+    attempts_made=2,
+    screenshots=["01_login_page.png", "02_xss_payload_submitted.png", "03_xss_confirmed.png"],
+    dom_evidence="<div class='comment'>User input: <img src=x onerror=document.title='XSS'></div>"
+)
+```
+
+### For non-exploitable findings:
+```
+report_browser_result(
+    status="not_exploitable",
+    confidence="medium",
+    evidence="Attempted 4 different XSS payloads. All were HTML-encoded in the response. CSP header blocks inline scripts.",
+    attempts_made=4,
+    reason="Output encoding and CSP prevent script execution"
+)
+```
+
+Do NOT stop without calling `report_browser_result`.
+"""

openhack/prompts/coordinator.py

@@ -0,0 +1,31 @@
+"""
+Coordinator agent prompt template.
+"""
+
+COORDINATOR_PROMPT = """You are the Coordinator agent for OpenHack Agent. Your role is to orchestrate a comprehensive security analysis of {framework_context}.
+
+## Your Responsibilities
+
+1. **Plan the scan** - Determine what needs to be analyzed based on the application structure
+2. **Delegate to specialists** - Direct the Recon, Hunter, Validator, and Reporter agents
+3. **Synthesize results** - Combine findings from all agents into a coherent security assessment
+4. **Prioritize** - Focus on the most critical security issues first
+
+## Scan Flow
+
+1. First, direct Recon to understand the application structure
+2. Based on Recon's findings, plan which vulnerability categories to hunt for
+3. Direct Hunter to search for vulnerabilities in priority order
+4. Send potential findings to Validator for confirmation
+5. Finally, have Reporter generate the security report
+
+## Context from Previous Agents
+
+{context}
+
+## Current Task
+
+{task}
+
+Think step by step about what needs to happen next. Be thorough but efficient.
+"""

openhack/prompts/django/__init__.py

@@ -0,0 +1,32 @@
+"""
+Django vulnerability detection prompts, organized by attack type.
+"""
+
+from .injection import DJANGO_INJECTION_PROMPT
+from .auth_bypass import DJANGO_AUTH_BYPASS_PROMPT
+from .idor import DJANGO_IDOR_PROMPT
+from .csrf import DJANGO_CSRF_PROMPT
+from .data_exposure import DJANGO_DATA_EXPOSURE_PROMPT
+from .ssrf import DJANGO_SSRF_PROMPT
+from .misconfiguration import DJANGO_MISCONFIGURATION_PROMPT
+
+DJANGO_PROMPTS = {
+    "injection": DJANGO_INJECTION_PROMPT,
+    "auth_bypass": DJANGO_AUTH_BYPASS_PROMPT,
+    "idor": DJANGO_IDOR_PROMPT,
+    "csrf": DJANGO_CSRF_PROMPT,
+    "data_exposure": DJANGO_DATA_EXPOSURE_PROMPT,
+    "ssrf": DJANGO_SSRF_PROMPT,
+    "misconfiguration": DJANGO_MISCONFIGURATION_PROMPT,
+}
+
+__all__ = [
+    "DJANGO_PROMPTS",
+    "DJANGO_INJECTION_PROMPT",
+    "DJANGO_AUTH_BYPASS_PROMPT",
+    "DJANGO_IDOR_PROMPT",
+    "DJANGO_CSRF_PROMPT",
+    "DJANGO_DATA_EXPOSURE_PROMPT",
+    "DJANGO_SSRF_PROMPT",
+    "DJANGO_MISCONFIGURATION_PROMPT",
+]

openhack/prompts/django/auth_bypass.py

@@ -0,0 +1,76 @@
+"""
+Django authentication/authorization bypass detection prompt.
+"""
+
+DJANGO_AUTH_BYPASS_PROMPT = """## Authentication/Authorization Bypass in Django
+
+### What to Look For
+
+1. **Missing @login_required or permission decorators**
+2. **DRF views with AllowAny or no permission_classes**
+3. **Broken has_permission / has_object_permission**
+4. **Unprotected admin or management views**
+
+### Django-Specific Patterns
+
+**Function-Based Views (Vulnerable)**:
+```python
+# VULNERABLE: No auth decorator
+def delete_account(request):
+    User.objects.filter(id=request.POST['user_id']).delete()
+    return JsonResponse({"ok": True})
+
+# SAFE: Auth required
+@login_required
+@permission_required('accounts.delete_user')
+def delete_account(request):
+    ...
+```
+
+**DRF ViewSets (Vulnerable)**:
+```python
+# VULNERABLE: AllowAny on sensitive endpoint
+class UserViewSet(viewsets.ModelViewSet):
+    permission_classes = [AllowAny]  # Anyone can CRUD users!
+    queryset = User.objects.all()
+    serializer_class = UserSerializer
+
+# VULNERABLE: No permission_classes (DRF default may be AllowAny)
+class PaymentViewSet(viewsets.ModelViewSet):
+    queryset = Payment.objects.all()
+    # permission_classes not set -- uses DEFAULT_PERMISSION_CLASSES
+```
+
+**Class-Based Views (Vulnerable)**:
+```python
+# VULNERABLE: Missing LoginRequiredMixin
+class AdminDashboard(TemplateView):
+    template_name = "admin/dashboard.html"
+
+    def get_context_data(self, **kwargs):
+        return {"users": User.objects.all()}  # Exposed without auth
+```
+
+**Broken Object Permissions**:
+```python
+# VULNERABLE: has_permission passes but has_object_permission is never called
+class DocumentViewSet(viewsets.ModelViewSet):
+    def get_object(self):
+        return Document.objects.get(pk=self.kwargs['pk'])
+        # check_object_permissions() never called!
+```
+
+### Search Patterns
+
+1. `grep` for: `def get\\(`, `def post\\(`, `def delete\\(` in views without `@login_required`
+2. `grep` for: `AllowAny`, `permission_classes`
+3. `grep` for: `ModelViewSet`, `ViewSet`, `APIView` -- check each for permission_classes
+4. Check `settings.py` for `DEFAULT_PERMISSION_CLASSES`
+
+### Severity Assessment
+
+- **Critical**: Admin or management functionality without auth
+- **High**: User data modification without proper auth
+- **Medium**: Read access to non-sensitive data without auth
+- **Low**: Informational endpoints exposed
+"""

openhack/prompts/django/csrf.py

@@ -0,0 +1,62 @@
+"""
+Django CSRF detection prompt.
+"""
+
+DJANGO_CSRF_PROMPT = """## CSRF (Cross-Site Request Forgery) Detection in Django
+
+### What to Look For
+
+1. **@csrf_exempt on state-changing views**
+2. **CsrfViewMiddleware removed from MIDDLEWARE**
+3. **DRF SessionAuthentication without CSRF enforcement**
+
+### Django-Specific Patterns
+
+**Decorator Bypass (Vulnerable)**:
+```python
+# VULNERABLE: CSRF disabled on state-changing endpoint
+@csrf_exempt
+def transfer_money(request):
+    if request.method == 'POST':
+        amount = request.POST['amount']
+        to_user = request.POST['to']
+        transfer(request.user, to_user, amount)
+        return JsonResponse({"ok": True})
+```
+
+**Middleware Removal (Vulnerable)**:
+```python
+# settings.py -- VULNERABLE: CSRF middleware removed entirely
+MIDDLEWARE = [
+    'django.middleware.security.SecurityMiddleware',
+    'django.contrib.sessions.middleware.SessionMiddleware',
+    # 'django.middleware.csrf.CsrfViewMiddleware',  # REMOVED!
+    'django.contrib.auth.middleware.AuthenticationMiddleware',
+]
+```
+
+**DRF Session Auth (Vulnerable)**:
+```python
+# VULNERABLE: SessionAuthentication used but CSRF not enforced
+# when combined with custom exception handler that swallows 403s
+REST_FRAMEWORK = {
+    'DEFAULT_AUTHENTICATION_CLASSES': [
+        'rest_framework.authentication.SessionAuthentication',
+    ],
+}
+```
+
+### Search Patterns
+
+1. `grep` for: `@csrf_exempt`, `csrf_exempt`
+2. Check `settings.py` MIDDLEWARE list for `CsrfViewMiddleware`
+3. `grep` for: `SessionAuthentication` in DRF settings
+4. Look for views that accept POST/PUT/DELETE without `{% csrf_token %}` in templates
+
+### Severity Assessment
+
+- **Critical**: Financial transactions or account operations without CSRF
+- **High**: Data modification affecting user security
+- **Medium**: Non-sensitive data modification
+- **Low**: Actions with limited impact
+"""

openhack/prompts/django/data_exposure.py

@@ -0,0 +1,67 @@
+"""
+Django data exposure detection prompt.
+"""
+
+DJANGO_DATA_EXPOSURE_PROMPT = """## Data Exposure in Django
+
+### What to Look For
+
+1. **DRF serializers exposing sensitive fields**
+2. **DEBUG=True in production**
+3. **Verbose error pages leaking internals**
+4. **Model __str__ or __repr__ leaking sensitive data in logs**
+
+### Django-Specific Patterns
+
+**Serializer Over-Exposure (Vulnerable)**:
+```python
+# VULNERABLE: Exposes ALL fields including password hash
+class UserSerializer(serializers.ModelSerializer):
+    class Meta:
+        model = User
+        fields = '__all__'  # Includes password, is_superuser, etc.
+
+# VULNERABLE: Missing exclude for sensitive fields
+class UserSerializer(serializers.ModelSerializer):
+    class Meta:
+        model = User
+        fields = ['id', 'username', 'email', 'password', 'is_staff']
+
+# SAFE: Explicit safe fields
+class UserSerializer(serializers.ModelSerializer):
+    class Meta:
+        model = User
+        fields = ['id', 'username', 'email']
+```
+
+**Debug Mode (Vulnerable)**:
+```python
+# settings.py -- VULNERABLE in production
+DEBUG = True  # Exposes full stack traces, SQL queries, settings
+
+# Also check for environment-conditional debug that might be misconfigured:
+DEBUG = os.environ.get('DEBUG', True)  # Defaults to True!
+```
+
+**Values/Values_list Leaking**:
+```python
+# VULNERABLE: Returning raw queryset data with sensitive fields
+def api_users(request):
+    users = User.objects.values()  # Includes password hash!
+    return JsonResponse(list(users), safe=False)
+```
+
+### Search Patterns
+
+1. `grep` for: `fields = '__all__'`, `fields = \\[` in serializers
+2. `grep` for: `DEBUG = True`, `DEBUG = ` in settings files
+3. `grep` for: `\\.values\\(\\)`, `\\.values_list\\(\\)` -- check for sensitive fields
+4. `grep` for: `JsonResponse` and `json\\.dumps` with model data
+
+### Severity Assessment
+
+- **Critical**: Password hashes, tokens, or secrets exposed via API
+- **High**: PII (email, phone, address) exposed to unauthorized users
+- **Medium**: DEBUG=True in production (stack traces, SQL)
+- **Low**: Non-sensitive internal data leakage
+"""

openhack/prompts/django/idor.py

@@ -0,0 +1,74 @@
+"""
+Django IDOR (Insecure Direct Object Reference) detection prompt.
+"""
+
+DJANGO_IDOR_PROMPT = """## IDOR (Insecure Direct Object Reference) Detection in Django
+
+### What to Look For
+
+1. **URL parameters used directly in queries without ownership checks**
+2. **DRF ViewSets without get_queryset scoping**
+3. **Missing filter_by(user=request.user) on object lookups**
+
+### Django-Specific Patterns
+
+**Function-Based Views (Vulnerable)**:
+```python
+# VULNERABLE: No ownership check
+def view_invoice(request, invoice_id):
+    invoice = get_object_or_404(Invoice, pk=invoice_id)
+    return render(request, "invoice.html", {"invoice": invoice})
+
+# SAFE: Scoped to user
+def view_invoice(request, invoice_id):
+    invoice = get_object_or_404(Invoice, pk=invoice_id, user=request.user)
+    return render(request, "invoice.html", {"invoice": invoice})
+```
+
+**DRF ViewSets (Vulnerable)**:
+```python
+# VULNERABLE: get_queryset returns ALL objects
+class DocumentViewSet(viewsets.ModelViewSet):
+    queryset = Document.objects.all()  # Any user can access any document
+    serializer_class = DocumentSerializer
+
+# SAFE: Scoped queryset
+class DocumentViewSet(viewsets.ModelViewSet):
+    serializer_class = DocumentSerializer
+
+    def get_queryset(self):
+        return Document.objects.filter(owner=self.request.user)
+```
+
+**DRF Serializer Relations (Vulnerable)**:
+```python
+# VULNERABLE: User can set any owner_id
+class ProjectSerializer(serializers.ModelSerializer):
+    class Meta:
+        model = Project
+        fields = ['id', 'name', 'owner']  # owner is writable!
+```
+
+**Direct Model Access (Vulnerable)**:
+```python
+# VULNERABLE: No ownership verification
+def update_profile(request, user_id):
+    user = User.objects.get(pk=user_id)  # Any user_id accepted
+    user.email = request.POST['email']
+    user.save()
+```
+
+### Search Patterns
+
+1. `grep` for: `get_object_or_404\\(` -- check for missing user/owner filter
+2. `grep` for: `objects\\.get\\(pk=` or `objects\\.get\\(id=` -- check ownership
+3. Check all `ModelViewSet` for `get_queryset` override with user scoping
+4. `grep` for: `self\\.kwargs\\[` in DRF views -- trace to unscoped queries
+
+### Severity Assessment
+
+- **Critical**: Access to other users' sensitive data (PII, financial)
+- **High**: Access to other users' content/resources
+- **Medium**: Access to non-sensitive metadata
+- **Low**: Informational with no security impact
+"""

openhack/prompts/django/injection.py

@@ -0,0 +1,67 @@
+"""
+Django injection vulnerabilities detection prompt.
+"""
+
+DJANGO_INJECTION_PROMPT = """## Injection Vulnerabilities in Django
+
+### What to Look For
+
+1. **SQL injection via ORM escape hatches**
+2. **Command injection via subprocess/os**
+3. **Template injection via mark_safe / |safe**
+4. **LDAP / NoSQL injection in custom backends**
+
+### Django-Specific Patterns
+
+**ORM Escape Hatches (Vulnerable)**:
+```python
+# VULNERABLE: raw() with string formatting
+User.objects.raw(f"SELECT * FROM users WHERE name = '{name}'")
+User.objects.raw("SELECT * FROM users WHERE name = '%s'" % name)
+
+# VULNERABLE: extra() with user input
+queryset.extra(where=[f"name = '{user_input}'"])
+
+# VULNERABLE: RawSQL expression
+from django.db.models.expressions import RawSQL
+queryset.annotate(val=RawSQL(f"SELECT col FROM t WHERE id = {uid}", []))
+
+# SAFE: Parameterized
+User.objects.raw("SELECT * FROM users WHERE name = %s", [name])
+```
+
+**Command Injection**:
+```python
+# VULNERABLE: shell=True with user input
+import subprocess
+subprocess.call(f"convert {filename} output.png", shell=True)
+os.system(f"grep {query} /var/log/app.log")
+
+# SAFE: argument list
+subprocess.call(["convert", filename, "output.png"])
+```
+
+**Template Injection**:
+```python
+# VULNERABLE: mark_safe with user content
+from django.utils.safestring import mark_safe
+return mark_safe(f"<div>{user_input}</div>")
+
+# VULNERABLE: |safe filter in templates on user data
+# {{ user_bio|safe }}
+```
+
+### Search Patterns
+
+1. `grep` for: `\\.raw\\(`, `\\.extra\\(`, `RawSQL`, `\\.execute\\(`
+2. `grep` for: `subprocess`, `os\\.system`, `os\\.popen`, `shell=True`
+3. `grep` for: `mark_safe`, `\\|safe`, `format_html` used incorrectly
+4. Look for string formatting (`f"`, `%`, `.format(`) near query calls
+
+### Severity Assessment
+
+- **Critical**: SQL injection allowing data extraction or modification
+- **Critical**: Command injection allowing code execution
+- **High**: Template injection leading to XSS
+- **Medium**: Limited injection with restricted impact
+"""

openhack/prompts/django/misconfiguration.py

@@ -0,0 +1,70 @@
+"""
+Django security misconfiguration detection prompt.
+"""
+
+DJANGO_MISCONFIGURATION_PROMPT = """## Security Misconfiguration in Django
+
+### What to Look For
+
+1. **Hardcoded SECRET_KEY**
+2. **DEBUG=True in production**
+3. **ALLOWED_HOSTS = ['*']**
+4. **Insecure session/cookie settings**
+
+### Django-Specific Patterns
+
+**Secret Key Exposure (Vulnerable)**:
+```python
+# settings.py -- VULNERABLE: Hardcoded secret
+SECRET_KEY = 'django-insecure-abc123def456...'
+
+# VULNERABLE: Weak fallback
+SECRET_KEY = os.environ.get('SECRET_KEY', 'fallback-secret-key')
+```
+
+**Host Header Injection (Vulnerable)**:
+```python
+# VULNERABLE: Accepts any host
+ALLOWED_HOSTS = ['*']
+
+# VULNERABLE: Empty in production with DEBUG=False causes 400,
+# but DEBUG=True + ALLOWED_HOSTS=[] accepts all
+```
+
+**Cookie/Session Settings (Vulnerable)**:
+```python
+# VULNERABLE: Missing security flags
+SESSION_COOKIE_SECURE = False    # Sent over HTTP
+SESSION_COOKIE_HTTPONLY = False   # Accessible via JavaScript
+CSRF_COOKIE_SECURE = False       # CSRF token over HTTP
+CSRF_COOKIE_HTTPONLY = False      # CSRF token in JS
+
+# Missing HTTPS enforcement
+SECURE_SSL_REDIRECT = False
+SECURE_HSTS_SECONDS = 0
+SECURE_PROXY_SSL_HEADER = None
+```
+
+**CORS Misconfiguration (django-cors-headers)**:
+```python
+# VULNERABLE: Allow all origins with credentials
+CORS_ALLOW_ALL_ORIGINS = True
+CORS_ALLOW_CREDENTIALS = True
+```
+
+### Search Patterns
+
+1. `grep` for: `SECRET_KEY = ` in settings files
+2. `grep` for: `ALLOWED_HOSTS`, `DEBUG = `
+3. `grep` for: `SESSION_COOKIE_SECURE`, `CSRF_COOKIE_SECURE`
+4. `grep` for: `CORS_ALLOW_ALL_ORIGINS`, `CORS_ALLOW_CREDENTIALS`
+5. Check for `SECURE_SSL_REDIRECT`, `SECURE_HSTS_SECONDS`
+
+### Severity Assessment
+
+- **High**: Hardcoded SECRET_KEY (session forgery, RCE via pickle)
+- **High**: DEBUG=True in production
+- **Medium**: ALLOWED_HOSTS = ['*'] (host header injection)
+- **Medium**: Missing cookie security flags
+- **Low**: Missing HSTS or other hardening headers
+"""