From security-research
Detect configuration, cryptographic, and deployment security vulnerabilities — debug mode, CORS misconfiguration, missing headers, exposed admin endpoints, default credentials, hardcoded secrets, weak password hashing, insecure RNG, ECB mode, TLS bypass, timing attacks, container/Kubernetes misconfig. Consolidated detection skill for all configuration and crypto patterns.
npx claudepluginhub pucagit/claude-plugin --plugin security-researchThis skill uses the workspace's default tool permissions.
Find security misconfigurations, deployment weaknesses, and cryptographic failures that weaken the application's security posture.
Generates design tokens/docs from CSS/Tailwind/styled-components codebases, audits visual consistency across 10 dimensions, detects AI slop in UI.
Records polished WebM UI demo videos of web apps using Playwright with cursor overlay, natural pacing, and three-phase scripting. Activates for demo, walkthrough, screen recording, or tutorial requests.
Delivers idiomatic Kotlin patterns for null safety, immutability, sealed classes, coroutines, Flows, extensions, DSL builders, and Gradle DSL. Use when writing, reviewing, refactoring, or designing Kotlin code.
Find security misconfigurations, deployment weaknesses, and cryptographic failures that weaken the application's security posture.
Before hunting, read references/cool_techniques.md for applicable config/crypto detection techniques learned from previous audits. Apply any relevant techniques during your analysis.
| Category | Sub-Types |
|---|---|
| Debug/Error | Debug mode in production, verbose error messages, stack traces |
| CORS | Wildcard origin + credentials, reflect-origin, missing validation |
| Headers | Missing HSTS, CSP, X-Frame-Options, X-Content-Type-Options |
| Exposed Endpoints | Admin panels, debug toolbars, actuators, API docs without auth |
| Default Creds | Hardcoded passwords in config, default admin credentials |
| Secrets | Hardcoded API keys, private keys, JWT secrets in source |
| Password Hashing | MD5/SHA1 for passwords, unsalted hashes, custom crypto |
| RNG | random.random()/Math.random() for security tokens |
| Encryption | ECB mode, IV reuse in AES-CBC, fixed/null IVs |
| TLS | verify=False, InsecureSkipVerify, certificate bypass |
| Timing Attacks | Non-constant-time signature/token comparison |
| Key Storage | Private keys in source, unencrypted secrets at rest |
| Container | Privileged containers, host namespaces, wildcard RBAC |
grep -rn "DEBUG\s*=\s*True\|debug\s*=\s*true\|DEBUG\s*=\s*1\|app\.debug\s*=\s*True\|\"debug\":\s*true" \
--include="*.py" --include="*.js" --include="*.ts" --include="*.java" \
--include="*.env" --include="*.conf" --include="*.ini" --include="*.yaml" \
--include="*.yml" --include="*.json" --include="*.toml" \
${TARGET_SOURCE} | grep -v "test\|spec\|False\|false\|0"
# Check if env-conditional (safer)
grep -rn "if.*DEBUG\|os\.environ.*DEBUG\|process\.env.*DEBUG\|getenv.*DEBUG" \
--include="*.py" --include="*.js" --include="*.ts" ${TARGET_SOURCE}
grep -rn "Access-Control-Allow-Origin.*\*\|allow_origins.*\*\|CORS.*origins.*\*\|AllowAllOrigins\|allow_all_origins" \
--include="*.py" --include="*.js" --include="*.ts" --include="*.java" \
--include="*.go" --include="*.rb" --include="*.php" --include="*.cs" ${TARGET_SOURCE}
grep -rn "Access-Control-Allow-Credentials.*true\|allow_credentials.*true\|AllowCredentials.*true\|supports_credentials.*True" \
--include="*.py" --include="*.js" --include="*.ts" --include="*.java" \
--include="*.go" --include="*.rb" ${TARGET_SOURCE}
grep -rn "X-Frame-Options\|X-Content-Type-Options\|Strict-Transport-Security\|Content-Security-Policy\|Referrer-Policy\|Permissions-Policy" \
--include="*.py" --include="*.js" --include="*.ts" --include="*.java" \
--include="*.go" --include="*.conf" ${TARGET_SOURCE}
grep -rn "password.*admin\|password.*password\|password.*secret\|password.*12345\|password.*changeme\|DB_PASSWORD.*root\|MYSQL_ROOT_PASSWORD.*test\|POSTGRES_PASSWORD.*test" \
--include="*.env" --include="*.yml" --include="*.yaml" --include="*.json" \
--include="*.conf" --include="*.ini" --include="*.toml" --include="*.xml" \
${TARGET_SOURCE} | grep -v "example\|sample\|template\|\.example\|placeholder"
grep -rn "SECRET_KEY\s*=\s*['\"][^${\|API_KEY\s*=\s*['\"\|JWT_SECRET\s*=\s*['\"\|-----BEGIN.*PRIVATE\|access_key_id\s*=\s*['\"\|secret_access_key" \
--include="*.py" --include="*.js" --include="*.ts" --include="*.java" \
--include="*.php" --include="*.rb" --include="*.go" --include="*.env" \
--include="*.yml" --include="*.yaml" --include="*.json" --include="*.conf" \
${TARGET_SOURCE} | grep -v "test\|spec\|example\|sample\|placeholder\|your_"
grep -rn "django_debug_toolbar\|debugbar\|flask_debugtoolbar\|/admin/\|/debug/\|/__debug__/\|/internal/\|/actuator/\|/swagger-ui\|/api-docs/\|/graphiql\|/redoc" \
--include="*.py" --include="*.js" --include="*.ts" --include="*.java" \
--include="*.rb" --include="*.go" --include="*.php" ${TARGET_SOURCE}
grep -rn "management\.endpoints\|actuator\|endpoints\.web\.exposure\|health\.show-details\|heapdump\|threaddump" \
--include="*.yml" --include="*.yaml" --include="*.properties" ${TARGET_SOURCE}
grep -rn "hashlib\.md5\|hashlib\.sha1\|md5(\|sha1(\|MD5\.\|SHA1\.\|MessageDigest.*MD5\|MessageDigest.*SHA.1" \
--include="*.py" --include="*.js" --include="*.ts" --include="*.java" \
--include="*.php" --include="*.rb" --include="*.go" ${TARGET_SOURCE}
grep -rn "random\.random(\|random\.randint(\|Math\.random(\|rand(\|mt_rand(\|Random()\.\|new Random()" \
--include="*.py" --include="*.js" --include="*.ts" --include="*.java" \
--include="*.php" --include="*.go" ${TARGET_SOURCE} | grep -v "test\|spec"
grep -rn "verify=False\|ssl\._create_unverified_context\|CERT_NONE\|rejectUnauthorized.*false\|InsecureSkipVerify.*true\|SSLContext.*CERT_NONE" \
--include="*.py" --include="*.js" --include="*.ts" --include="*.go" \
--include="*.java" --include="*.rb" ${TARGET_SOURCE}
grep -rn "AES\.MODE_ECB\|Cipher\.getInstance.*ECB\|iv\s*=\s*b['\"]\\\\x00\|iv\s*=\s*bytes(16)\|fixed.*iv\|static.*iv" \
--include="*.py" --include="*.js" --include="*.ts" --include="*.java" --include="*.php" ${TARGET_SOURCE}
grep -rn "==.*signature\|signature.*==\|hmac.*==\|token.*==" \
--include="*.py" --include="*.js" --include="*.ts" --include="*.java" \
--include="*.php" --include="*.rb" --include="*.go" \
${TARGET_SOURCE} | grep -v "hmac\.compare_digest\|crypto\.timingSafeEqual\|MessageDigest\.isEqual\|secure_compare"
grep -rn "privileged.*true\|--privileged\|network.*host\|pid.*host\|cap_add.*ALL\|allowPrivilegeEscalation.*true\|runAsRoot" \
--include="*.yml" --include="*.yaml" --include="Dockerfile" --include="docker-compose*" ${TARGET_SOURCE}
grep -rn "cluster-admin\|verbs.*\*\|resources.*\*\|serviceAccountName.*default\|automountServiceAccountToken.*true" \
--include="*.yml" --include="*.yaml" ${TARGET_SOURCE}
True in production settings → HIGH| Pattern | Verdict |
|---|---|
DEBUG = True not env-guarded | HIGH |
DEBUG = os.environ.get('DEBUG', False) | MEDIUM |
CORS wildcard + Allow-Credentials: true | CRITICAL |
| CORS wildcard without credentials | LOW |
| Missing HSTS header | LOW |
| Missing CSP + stored XSS found | Escalates XSS |
Default admin:admin in docker-compose | HIGH |
Actuator include=* without auth | CRITICAL |
/swagger-ui without auth | MEDIUM |
hashlib.md5(password) | CRITICAL |
hashlib.md5(file_content) | FALSE POSITIVE |
bcrypt.hashpw(password, salt) | FALSE POSITIVE |
random.randint() for OTP | HIGH |
secrets.randbelow() for OTP | FALSE POSITIVE |
verify=False in production | HIGH |
AES.MODE_ECB | HIGH |
AES.MODE_CBC with random IV | FALSE POSITIVE |
signature == hmac_sig | HIGH timing attack |
hmac.compare_digest(s1, s2) | FALSE POSITIVE |
Hardcoded SECRET_KEY = "mysecretkey" | HIGH |
privileged: true in K8s pod | HIGH |
Use LSP diagnostics to confirm config and crypto issues:
mcp__ide__getDiagnostics on crypto implementation files — catch type mismatches in key sizes, IV lengths, or cipher mode parametersThe grep patterns above catch known vulnerability shapes. After completing the pattern scan, perform semantic analysis on the code you've read:
For each handler/endpoint: Read the full function. Ask: "What security assumption does this code make? Can that assumption be violated?"
For custom abstractions: If the codebase has custom configuration loaders, secret managers, or crypto wrappers — read their implementations. Are they correct? Do they handle edge cases (null, empty, unicode, concurrent calls)?
Cross-module flows: If a variable passes through 3+ functions before reaching a sink, follow it through every hop. One missed encoding step in the middle = vulnerability.
Config-specific deep analysis:
default-src * is present but useless. HSTS without includeSubDomains leaves subdomains vulnerable. CORS with a regex origin check may be bypassable (evil-example.com matching example.com).NODE_ENV === 'production' or DEBUG = os.environ.get(...) — can an attacker influence the environment? Check for .env files in the repo, environment variable injection via SSRF, or config endpoints that reveal the current environment.docker-compose.override.yml, .env.production, and Kubernetes ConfigMaps/Secrets that might override secure defaults.