Security Misconfiguration
npx machina-cli add skill allsmog/vuln-scout/security-misconfiguration --openclawFiles (1)
SKILL.md
10.8 KB
Security Misconfiguration (OWASP A02)
Purpose
Provide detection patterns for security misconfiguration vulnerabilities including default credentials, debug mode exposure, missing security headers, and insecure TLS settings.
OWASP 2025 Mapping
Category: A02 - Security Misconfiguration
CWEs:
- CWE-16: Configuration
- CWE-209: Information Exposure Through Error Messages
- CWE-215: Information Exposure Through Debug Information
- CWE-548: Information Exposure Through Directory Listing
- CWE-756: Missing Custom Error Page
When to Use
Activate this skill when:
- Reviewing application configuration files
- Checking for exposed debug/admin endpoints
- Auditing security header implementation
- Verifying TLS/SSL configuration
- Looking for default or weak credentials
Debug Mode Enabled
Detection Patterns
Python (Django/Flask)
# Django debug mode
grep -rniE "DEBUG\s*=\s*True" --include="*.py" --include="settings.py"
# Flask debug mode
grep -rniE "app\.debug\s*=\s*True|FLASK_DEBUG|debug=True" --include="*.py"
# Environment files
grep -rniE "DEBUG=1|DEBUG=true|DEBUG=True" --include="*.env" --include=".env*"
Java (Spring)
# Spring DevTools / Debug
grep -rniE "spring\.devtools|management\.endpoints\.web\.exposure|actuator" --include="*.properties" --include="*.yaml" --include="*.yml"
# Exposed actuator endpoints
grep -rniE "exposure\.include.*\*|exposure\.include.*health,info,env" --include="*.properties" --include="*.yaml"
PHP
# Display errors
grep -rniE "display_errors.*On|display_errors.*1|error_reporting.*E_ALL" --include="*.php" --include="php.ini"
# Laravel debug
grep -rniE "APP_DEBUG=true|'debug'.*=>.*true" --include="*.env" --include="*.php"
Go
# Gin debug mode
grep -rniE "gin\.SetMode.*gin\.DebugMode|GIN_MODE=debug" --include="*.go" --include="*.env"
# pprof enabled
grep -rniE "net/http/pprof|/debug/pprof" --include="*.go"
TypeScript/Node.js
# Debug environment
grep -rniE "NODE_ENV.*development|DEBUG=\*|debug.*true" --include="*.ts" --include="*.js" --include="*.env"
Default Credentials
Detection Patterns
# Common default passwords
grep -rniE "password.*['\"]admin['\"]|password.*['\"]123456['\"]|password.*['\"]password['\"]|password.*['\"]root['\"]|password.*['\"]test['\"]" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"
# Default usernames with passwords
grep -rniE "admin.*admin|root.*root|user.*password|test.*test" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php" --include="*.env" --include="*.yaml"
# Database defaults
grep -rniE "postgres.*postgres|mysql.*root|mongodb.*admin" --include="*.env" --include="*.yaml" --include="*.properties"
Common Default Credentials to Check
| Service | Username | Password |
|---|---|---|
| PostgreSQL | postgres | postgres |
| MySQL | root | (empty) |
| MongoDB | admin | admin |
| Redis | (none) | (none) |
| RabbitMQ | guest | guest |
| Elasticsearch | elastic | changeme |
| Jenkins | admin | admin |
| Grafana | admin | admin |
Exposed Admin/Debug Endpoints
Detection Patterns
# Admin routes
grep -rniE "[\"\'/]admin|[\"\'/]_admin|[\"\'/]administrator" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"
# Debug/Dev endpoints
grep -rniE "[\"\'/]debug|[\"\'/]_debug|[\"\'/]dev|[\"\'/]test" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"
# Internal endpoints
grep -rniE "[\"\'/]internal|[\"\'/]private|[\"\'/]system" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"
# Monitoring endpoints
grep -rniE "[\"\'/]metrics|[\"\'/]health|[\"\'/]status|[\"\'/]actuator|[\"\'/]swagger|[\"\'/]graphql" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"
Framework-Specific Endpoints
| Framework | Endpoint | Risk |
|---|---|---|
| Spring Boot | /actuator/* | Env vars, heap dump |
| Django | /admin/ | Admin panel |
| Rails | /rails/info | Version disclosure |
| Laravel | /telescope | Debug info |
| Express | /graphql | Introspection |
| Go pprof | /debug/pprof | Memory/CPU profiling |
Missing Security Headers
Detection Patterns
# Look for header setting code
grep -rniE "Content-Security-Policy|X-Frame-Options|X-Content-Type-Options|Strict-Transport-Security|X-XSS-Protection" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"
# Middleware/interceptor configuration
grep -rniE "helmet|securityHeaders|addHeader|setHeader.*security" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"
Required Security Headers
| Header | Value | Purpose |
|---|---|---|
| Content-Security-Policy | default-src 'self' | Prevent XSS |
| X-Frame-Options | DENY | Prevent clickjacking |
| X-Content-Type-Options | nosniff | Prevent MIME sniffing |
| Strict-Transport-Security | max-age=31536000 | Force HTTPS |
| X-XSS-Protection | 1; mode=block | XSS filter (legacy) |
| Referrer-Policy | strict-origin-when-cross-origin | Control referrer |
| Permissions-Policy | geolocation=() | Limit browser features |
TLS/SSL Misconfiguration
Detection Patterns
# Insecure TLS versions
grep -rniE "SSLv2|SSLv3|TLSv1\.0|TLSv1\.1|ssl\.PROTOCOL_SSLv|TLS_RSA_" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"
# Disabled certificate verification
grep -rniE "verify.*false|InsecureSkipVerify.*true|VERIFY_NONE|verify_ssl.*False|rejectUnauthorized.*false" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"
# Weak ciphers
grep -rniE "DES|RC4|MD5|NULL|EXPORT|anon" --include="*.go" --include="*.py" --include="*.java" --include="*.conf"
Secure TLS Configuration
Minimum: TLS 1.2 Recommended: TLS 1.3
Safe cipher suites:
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
Directory Listing
Detection Patterns
# Nginx
grep -rniE "autoindex\s+on" --include="*.conf" --include="nginx.conf"
# Apache
grep -rniE "Options.*Indexes|DirectoryIndex" --include="*.conf" --include=".htaccess"
# Application-level
grep -rniE "directory.*listing|listFiles|readdir" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"
Proxy Cache Misconfiguration
Overview
Proxy caches (Nginx, Varnish, CDN) can expose sensitive data if:
- Authenticated responses are cached based on file extension
- Cache key doesn't include session/auth identifiers
- Dynamic paths are cached as static content
See also: cache-poisoning skill for comprehensive cache attack patterns.
Detection Patterns
# Nginx proxy cache configuration
grep -rniE "proxy_cache|proxy_cache_valid|proxy_cache_key" --include="*.conf" --include="nginx.conf"
# CRITICAL: Cache rules for static extensions on dynamic paths
grep -rniE "location.*\.(css|js|png|jpg|jpeg|gif|ico|svg)" -A10 --include="*.conf" | grep -iE "proxy_cache|cache"
# Missing cache bypass for authenticated requests
grep -rniE "proxy_cache_bypass|proxy_no_cache" --include="*.conf"
# Varnish cache rules
grep -rniE "vcl_recv|vcl_hash|set beresp\.ttl" --include="*.vcl"
Security Checklist
- Authenticated responses excluded from cache (
proxy_cache_bypass $http_authorization) - Cache key includes user identifier for personalized content
- Cache-Control: private set for authenticated endpoints
- Vary: Authorization header used appropriately
CORS Misconfiguration
Detection Patterns
# Wildcard origin
grep -rniE "Access-Control-Allow-Origin.*\*|AllowAllOrigins|cors.*origin.*\*" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"
# Dynamic origin reflection (vulnerable)
grep -rniE "Origin.*header|request\.headers\.origin|getHeader.*Origin" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"
# Credentials with wildcard (invalid but attempted)
grep -rniE "Access-Control-Allow-Credentials.*true" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"
Verbose Error Messages
Detection Patterns
# Stack traces in responses
grep -rniE "printStackTrace|traceback|\.stack|debug.*true.*error" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"
# Detailed error responses
grep -rniE "error.*message.*\+|err\.Error\(\)|e\.getMessage\(\)" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"
Unnecessary Features Enabled
Detection Patterns
# HTTP methods (should disable unused)
grep -rniE "TRACE|OPTIONS|PUT|DELETE" --include="*.conf" --include="*.xml"
# Unused ports
grep -rniE "listen.*22|listen.*21|listen.*3306|listen.*5432" --include="*.conf" --include="*.yaml"
# Development dependencies in production
grep -rniE "devDependencies|dev-dependencies" --include="package.json" --include="Cargo.toml"
Framework-Specific Checks
Django
grep -rniE "DEBUG|SECRET_KEY|ALLOWED_HOSTS.*\*|CSRF_COOKIE_SECURE.*False|SESSION_COOKIE_SECURE.*False" --include="settings.py"
Spring Boot
grep -rniE "management\.endpoints|spring\.datasource\.password|server\.error\.include-stacktrace" --include="*.properties" --include="*.yaml"
Express/Node.js
grep -rniE "trust proxy|x-powered-by|helmet|NODE_ENV" --include="*.ts" --include="*.js"
Laravel
grep -rniE "APP_DEBUG|APP_KEY|MAIL_PASSWORD|DB_PASSWORD" --include=".env" --include="*.php"
Verification Checklist
- Debug mode disabled in production
- No default credentials
- Admin endpoints protected
- Security headers implemented
- TLS 1.2+ only
- Certificate verification enabled
- Directory listing disabled
- CORS properly configured
- Error messages sanitized
- Unnecessary features disabled
CWE References
| CWE | Name | Example |
|---|---|---|
| CWE-16 | Configuration | Insecure default settings |
| CWE-209 | Error Info Exposure | Stack traces to users |
| CWE-215 | Debug Info Exposure | Debug endpoints accessible |
| CWE-524 | Sensitive Info in Cache | Authenticated data cached by proxy |
| CWE-548 | Directory Listing | autoindex on |
| CWE-756 | Missing Error Page | Default error pages |
Source
git clone https://github.com/allsmog/vuln-scout/blob/main/whitebox-pentest/skills/security-misconfiguration/SKILL.mdView on GitHub Overview
Security Misconfiguration identifies configuration weaknesses that expose apps to default credentials, debug mode leakage, missing security headers, and insecure TLS settings. It aids whitebox pentesters by surfacing misconfig patterns across code, configs, and endpoints, helping prioritize remediation.
How This Skill Works
The skill aggregates detection patterns and grep-based checks across common stacks (Python, Java, PHP, Go, Node/TS) to locate misconfig exposures like debug flags, insecure TLS, and exposed admin endpoints. It maps findings to OWASP A02 and relevant CWEs to contextualize risk.
When to Use It
- Reviewing application configuration files and settings
- Checking for exposed debug/admin endpoints
- Auditing security header implementation
- Verifying TLS/SSL configuration and cipher suites
- Looking for default or weak credentials
Quick Start
- Step 1: Run grep-based checks across code and env files to surface misconfig patterns (DEBUG, APP_DEBUG, display_errors, etc.)
- Step 2: Inspect flagged files for exposure risk and endpoint access patterns
- Step 3: Recommend fixes (disable debug, enforce headers, restrict endpoints, fix TLS, rotate credentials) and document remediation
Best Practices
- Search for DEBUG and development flags in code and environment files
- Validate that security headers (HSTS, X-Content-Type-Options, etc.) are implemented
- Audit and harden TLS configurations (TLS versions, ciphers, and certs)
- Identify and restrict exposed admin, debug, and internal endpoints
- Rotate default credentials and enforce unique credentials per service
Example Use Cases
- Django project with DEBUG=True in settings.py
- Spring Boot actuator endpoints publicly exposed
- PHP app displaying error messages (display_errors On)
- Default credentials like admin:admin detected in config files
- Exposed admin routes such as /admin or /internal
Frequently Asked Questions
Add this skill to your agents
