This skill should be used when the user asks about "security misconfiguration", "default credentials", "debug mode", "security headers", "exposed endpoints", "TLS configuration", or needs to find configuration-related vulnerabilities during whitebox pentesting.
From vuln-scoutnpx claudepluginhub allsmog/vuln-scout --plugin vuln-scoutThis skill uses the workspace's default tool permissions.
Designs and optimizes AI agent action spaces, tool definitions, observation formats, error recovery, and context for higher task completion rates.
Enables AI agents to execute x402 payments with per-task budgets, spending controls, and non-custodial wallets via MCP tools. Use when agents pay for APIs, services, or other agents.
Compares coding agents like Claude Code and Aider on custom YAML-defined codebase tasks using git worktrees, measuring pass rate, cost, time, and consistency.
Provide detection patterns for security misconfiguration vulnerabilities including default credentials, debug mode exposure, missing security headers, and insecure TLS settings.
Category: A05 - Security Misconfiguration
CWEs:
Activate this skill when:
# Django debug mode
grep -rniE "DEBUG\s*=\s*True" --include="*.py" --include="settings.py"
# Flask debug mode
grep -rniE "app\.debug\s*=\s*True|FLASK_DEBUG|debug=True" --include="*.py"
# Environment files
grep -rniE "DEBUG=1|DEBUG=true|DEBUG=True" --include="*.env" --include=".env*"
# Spring DevTools / Debug
grep -rniE "spring\.devtools|management\.endpoints\.web\.exposure|actuator" --include="*.properties" --include="*.yaml" --include="*.yml"
# Exposed actuator endpoints
grep -rniE "exposure\.include.*\*|exposure\.include.*health,info,env" --include="*.properties" --include="*.yaml"
# Display errors
grep -rniE "display_errors.*On|display_errors.*1|error_reporting.*E_ALL" --include="*.php" --include="php.ini"
# Laravel debug
grep -rniE "APP_DEBUG=true|'debug'.*=>.*true" --include="*.env" --include="*.php"
# Gin debug mode
grep -rniE "gin\.SetMode.*gin\.DebugMode|GIN_MODE=debug" --include="*.go" --include="*.env"
# pprof enabled
grep -rniE "net/http/pprof|/debug/pprof" --include="*.go"
# Debug environment
grep -rniE "NODE_ENV.*development|DEBUG=\*|debug.*true" --include="*.ts" --include="*.js" --include="*.env"
# Common default passwords
grep -rniE "password.*['\"]admin['\"]|password.*['\"]123456['\"]|password.*['\"]password['\"]|password.*['\"]root['\"]|password.*['\"]test['\"]" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"
# Default usernames with passwords
grep -rniE "admin.*admin|root.*root|user.*password|test.*test" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php" --include="*.env" --include="*.yaml"
# Database defaults
grep -rniE "postgres.*postgres|mysql.*root|mongodb.*admin" --include="*.env" --include="*.yaml" --include="*.properties"
| Service | Username | Password |
|---|---|---|
| PostgreSQL | postgres | postgres |
| MySQL | root | (empty) |
| MongoDB | admin | admin |
| Redis | (none) | (none) |
| RabbitMQ | guest | guest |
| Elasticsearch | elastic | changeme |
| Jenkins | admin | admin |
| Grafana | admin | admin |
# Admin routes
grep -rniE "[\"\'/]admin|[\"\'/]_admin|[\"\'/]administrator" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"
# Debug/Dev endpoints
grep -rniE "[\"\'/]debug|[\"\'/]_debug|[\"\'/]dev|[\"\'/]test" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"
# Internal endpoints
grep -rniE "[\"\'/]internal|[\"\'/]private|[\"\'/]system" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"
# Monitoring endpoints
grep -rniE "[\"\'/]metrics|[\"\'/]health|[\"\'/]status|[\"\'/]actuator|[\"\'/]swagger|[\"\'/]graphql" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"
| Framework | Endpoint | Risk |
|---|---|---|
| Spring Boot | /actuator/* | Env vars, heap dump |
| Django | /admin/ | Admin panel |
| Rails | /rails/info | Version disclosure |
| Laravel | /telescope | Debug info |
| Express | /graphql | Introspection |
| Go pprof | /debug/pprof | Memory/CPU profiling |
# Look for header setting code
grep -rniE "Content-Security-Policy|X-Frame-Options|X-Content-Type-Options|Strict-Transport-Security|X-XSS-Protection" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"
# Middleware/interceptor configuration
grep -rniE "helmet|securityHeaders|addHeader|setHeader.*security" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"
| Header | Value | Purpose |
|---|---|---|
| Content-Security-Policy | default-src 'self' | Prevent XSS |
| X-Frame-Options | DENY | Prevent clickjacking |
| X-Content-Type-Options | nosniff | Prevent MIME sniffing |
| Strict-Transport-Security | max-age=31536000 | Force HTTPS |
| X-XSS-Protection | 1; mode=block | XSS filter (legacy) |
| Referrer-Policy | strict-origin-when-cross-origin | Control referrer |
| Permissions-Policy | geolocation=() | Limit browser features |
# Insecure TLS versions
grep -rniE "SSLv2|SSLv3|TLSv1\.0|TLSv1\.1|ssl\.PROTOCOL_SSLv|TLS_RSA_" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"
# Disabled certificate verification
grep -rniE "verify.*false|InsecureSkipVerify.*true|VERIFY_NONE|verify_ssl.*False|rejectUnauthorized.*false" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"
# Weak ciphers
grep -rniE "DES|RC4|MD5|NULL|EXPORT|anon" --include="*.go" --include="*.py" --include="*.java" --include="*.conf"
Minimum: TLS 1.2 Recommended: TLS 1.3
Safe cipher suites:
# Nginx
grep -rniE "autoindex\s+on" --include="*.conf" --include="nginx.conf"
# Apache
grep -rniE "Options.*Indexes|DirectoryIndex" --include="*.conf" --include=".htaccess"
# Application-level
grep -rniE "directory.*listing|listFiles|readdir" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"
Proxy caches (Nginx, Varnish, CDN) can expose sensitive data if:
See also: cache-poisoning skill for comprehensive cache attack patterns.
# Nginx proxy cache configuration
grep -rniE "proxy_cache|proxy_cache_valid|proxy_cache_key" --include="*.conf" --include="nginx.conf"
# CRITICAL: Cache rules for static extensions on dynamic paths
grep -rniE "location.*\.(css|js|png|jpg|jpeg|gif|ico|svg)" -A10 --include="*.conf" | grep -iE "proxy_cache|cache"
# Missing cache bypass for authenticated requests
grep -rniE "proxy_cache_bypass|proxy_no_cache" --include="*.conf"
# Varnish cache rules
grep -rniE "vcl_recv|vcl_hash|set beresp\.ttl" --include="*.vcl"
proxy_cache_bypass $http_authorization)# Wildcard origin
grep -rniE "Access-Control-Allow-Origin.*\*|AllowAllOrigins|cors.*origin.*\*" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"
# Dynamic origin reflection (vulnerable)
grep -rniE "Origin.*header|request\.headers\.origin|getHeader.*Origin" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"
# Credentials with wildcard (invalid but attempted)
grep -rniE "Access-Control-Allow-Credentials.*true" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"
# Stack traces in responses
grep -rniE "printStackTrace|traceback|\.stack|debug.*true.*error" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"
# Detailed error responses
grep -rniE "error.*message.*\+|err\.Error\(\)|e\.getMessage\(\)" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"
# HTTP methods (should disable unused)
grep -rniE "TRACE|OPTIONS|PUT|DELETE" --include="*.conf" --include="*.xml"
# Unused ports
grep -rniE "listen.*22|listen.*21|listen.*3306|listen.*5432" --include="*.conf" --include="*.yaml"
# Development dependencies in production
grep -rniE "devDependencies|dev-dependencies" --include="package.json" --include="Cargo.toml"
grep -rniE "DEBUG|SECRET_KEY|ALLOWED_HOSTS.*\*|CSRF_COOKIE_SECURE.*False|SESSION_COOKIE_SECURE.*False" --include="settings.py"
grep -rniE "management\.endpoints|spring\.datasource\.password|server\.error\.include-stacktrace" --include="*.properties" --include="*.yaml"
grep -rniE "trust proxy|x-powered-by|helmet|NODE_ENV" --include="*.ts" --include="*.js"
grep -rniE "APP_DEBUG|APP_KEY|MAIL_PASSWORD|DB_PASSWORD" --include=".env" --include="*.php"
| CWE | Name | Example |
|---|---|---|
| CWE-16 | Configuration | Insecure default settings |
| CWE-209 | Error Info Exposure | Stack traces to users |
| CWE-215 | Debug Info Exposure | Debug endpoints accessible |
| CWE-524 | Sensitive Info in Cache | Authenticated data cached by proxy |
| CWE-548 | Directory Listing | autoindex on |
| CWE-756 | Missing Error Page | Default error pages |