Security Misconfiguration
This skill should be used when the user asks about "security misconfiguration", "default credentials", "debug mode", "security headers", "exposed endpoints", "TLS configuration", or needs to find configuration-related vulnerabilities during whitebox security review.
Best use case
Security Misconfiguration is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
This skill should be used when the user asks about "security misconfiguration", "default credentials", "debug mode", "security headers", "exposed endpoints", "TLS configuration", or needs to find configuration-related vulnerabilities during whitebox security review.
Teams using Security Misconfiguration should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/security-misconfiguration/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How Security Misconfiguration Compares
| Feature / Agent | Security Misconfiguration | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
This skill should be used when the user asks about "security misconfiguration", "default credentials", "debug mode", "security headers", "exposed endpoints", "TLS configuration", or needs to find configuration-related vulnerabilities during whitebox security review.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Security Misconfiguration (OWASP A05) ## Purpose Provide detection patterns for security misconfiguration vulnerabilities including default credentials, debug mode exposure, missing security headers, and insecure TLS settings. ## OWASP Top 10 Mapping **Category**: A05 - Security Misconfiguration **CWEs**: - CWE-16: Configuration - CWE-209: Information Exposure Through Error Messages - CWE-215: Information Exposure Through Debug Information - CWE-548: Information Exposure Through Directory Listing - CWE-756: Missing Custom Error Page ## When to Use Activate this skill when: - Reviewing application configuration files - Checking for exposed debug/admin endpoints - Auditing security header implementation - Verifying TLS/SSL configuration - Looking for default or weak credentials --- ## Debug Mode Enabled ### Detection Patterns #### Python (Django/Flask) ```bash # Django debug mode grep -rniE "DEBUG\s*=\s*True" --include="*.py" --include="settings.py" # Flask debug mode grep -rniE "app\.debug\s*=\s*True|FLASK_DEBUG|debug=True" --include="*.py" # Environment files grep -rniE "DEBUG=1|DEBUG=true|DEBUG=True" --include="*.env" --include=".env*" ``` #### Java (Spring) ```bash # Spring DevTools / Debug grep -rniE "spring\.devtools|management\.endpoints\.web\.exposure|actuator" --include="*.properties" --include="*.yaml" --include="*.yml" # Exposed actuator endpoints grep -rniE "exposure\.include.*\*|exposure\.include.*health,info,env" --include="*.properties" --include="*.yaml" ``` #### PHP ```bash # Display errors grep -rniE "display_errors.*On|display_errors.*1|error_reporting.*E_ALL" --include="*.php" --include="php.ini" # Laravel debug grep -rniE "APP_DEBUG=true|'debug'.*=>.*true" --include="*.env" --include="*.php" ``` #### Go ```bash # Gin debug mode grep -rniE "gin\.SetMode.*gin\.DebugMode|GIN_MODE=debug" --include="*.go" --include="*.env" # pprof enabled grep -rniE "net/http/pprof|/debug/pprof" --include="*.go" ``` #### TypeScript/Node.js ```bash # Debug environment grep -rniE "NODE_ENV.*development|DEBUG=\*|debug.*true" --include="*.ts" --include="*.js" --include="*.env" ``` --- ## Default Credentials ### Detection Patterns ```bash # Common default passwords grep -rniE "password.*['\"]admin['\"]|password.*['\"]123456['\"]|password.*['\"]password['\"]|password.*['\"]root['\"]|password.*['\"]test['\"]" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php" # Default usernames with passwords grep -rniE "admin.*admin|root.*root|user.*password|test.*test" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php" --include="*.env" --include="*.yaml" # Database defaults grep -rniE "postgres.*postgres|mysql.*root|mongodb.*admin" --include="*.env" --include="*.yaml" --include="*.properties" ``` ### Common Default Credentials to Check | Service | Username | Password | |---------|----------|----------| | PostgreSQL | postgres | postgres | | MySQL | root | (empty) | | MongoDB | admin | admin | | Redis | (none) | (none) | | RabbitMQ | guest | guest | | Elasticsearch | elastic | changeme | | Jenkins | admin | admin | | Grafana | admin | admin | --- ## Exposed Admin/Debug Endpoints ### Detection Patterns ```bash # Admin routes grep -rniE "[\"\'/]admin|[\"\'/]_admin|[\"\'/]administrator" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php" # Debug/Dev endpoints grep -rniE "[\"\'/]debug|[\"\'/]_debug|[\"\'/]dev|[\"\'/]test" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php" # Internal endpoints grep -rniE "[\"\'/]internal|[\"\'/]private|[\"\'/]system" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php" # Monitoring endpoints grep -rniE "[\"\'/]metrics|[\"\'/]health|[\"\'/]status|[\"\'/]actuator|[\"\'/]swagger|[\"\'/]graphql" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php" ``` ### Framework-Specific Endpoints | Framework | Endpoint | Risk | |-----------|----------|------| | Spring Boot | /actuator/* | Env vars, heap dump | | Django | /admin/ | Admin panel | | Rails | /rails/info | Version disclosure | | Laravel | /telescope | Debug info | | Express | /graphql | Introspection | | Go pprof | /debug/pprof | Memory/CPU profiling | --- ## Missing Security Headers ### Detection Patterns ```bash # Look for header setting code grep -rniE "Content-Security-Policy|X-Frame-Options|X-Content-Type-Options|Strict-Transport-Security|X-XSS-Protection" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php" # Middleware/interceptor configuration grep -rniE "helmet|securityHeaders|addHeader|setHeader.*security" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php" ``` ### Required Security Headers | Header | Value | Purpose | |--------|-------|---------| | Content-Security-Policy | `default-src 'self'` | Prevent XSS | | X-Frame-Options | `DENY` | Prevent clickjacking | | X-Content-Type-Options | `nosniff` | Prevent MIME sniffing | | Strict-Transport-Security | `max-age=31536000` | Force HTTPS | | X-XSS-Protection | `1; mode=block` | XSS filter (legacy) | | Referrer-Policy | `strict-origin-when-cross-origin` | Control referrer | | Permissions-Policy | `geolocation=()` | Limit browser features | --- ## TLS/SSL Misconfiguration ### Detection Patterns ```bash # Insecure TLS versions grep -rniE "SSLv2|SSLv3|TLSv1\.0|TLSv1\.1|ssl\.PROTOCOL_SSLv|TLS_RSA_" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php" # Disabled certificate verification grep -rniE "verify.*false|InsecureSkipVerify.*true|VERIFY_NONE|verify_ssl.*False|rejectUnauthorized.*false" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php" # Weak ciphers grep -rniE "DES|RC4|MD5|NULL|EXPORT|anon" --include="*.go" --include="*.py" --include="*.java" --include="*.conf" ``` ### Secure TLS Configuration **Minimum**: TLS 1.2 **Recommended**: TLS 1.3 **Safe cipher suites**: - TLS_AES_128_GCM_SHA256 - TLS_AES_256_GCM_SHA384 - TLS_CHACHA20_POLY1305_SHA256 --- ## Directory Listing ### Detection Patterns ```bash # Nginx grep -rniE "autoindex\s+on" --include="*.conf" --include="nginx.conf" # Apache grep -rniE "Options.*Indexes|DirectoryIndex" --include="*.conf" --include=".htaccess" # Application-level grep -rniE "directory.*listing|listFiles|readdir" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php" ``` --- ## Proxy Cache Misconfiguration ### Overview Proxy caches (Nginx, Varnish, CDN) can expose sensitive data if: - Authenticated responses are cached based on file extension - Cache key doesn't include session/auth identifiers - Dynamic paths are cached as static content **See also**: `cache-poisoning` skill for comprehensive cache attack patterns. ### Detection Patterns ```bash # Nginx proxy cache configuration grep -rniE "proxy_cache|proxy_cache_valid|proxy_cache_key" --include="*.conf" --include="nginx.conf" # CRITICAL: Cache rules for static extensions on dynamic paths grep -rniE "location.*\.(css|js|png|jpg|jpeg|gif|ico|svg)" -A10 --include="*.conf" | grep -iE "proxy_cache|cache" # Missing cache bypass for authenticated requests grep -rniE "proxy_cache_bypass|proxy_no_cache" --include="*.conf" # Varnish cache rules grep -rniE "vcl_recv|vcl_hash|set beresp\.ttl" --include="*.vcl" ``` ### Security Checklist - [ ] Authenticated responses excluded from cache (`proxy_cache_bypass $http_authorization`) - [ ] Cache key includes user identifier for personalized content - [ ] Cache-Control: private set for authenticated endpoints - [ ] Vary: Authorization header used appropriately --- ## CORS Misconfiguration ### Detection Patterns ```bash # Wildcard origin grep -rniE "Access-Control-Allow-Origin.*\*|AllowAllOrigins|cors.*origin.*\*" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php" # Dynamic origin reflection (vulnerable) grep -rniE "Origin.*header|request\.headers\.origin|getHeader.*Origin" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php" # Credentials with wildcard (invalid but attempted) grep -rniE "Access-Control-Allow-Credentials.*true" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php" ``` --- ## Verbose Error Messages ### Detection Patterns ```bash # Stack traces in responses grep -rniE "printStackTrace|traceback|\.stack|debug.*true.*error" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php" # Detailed error responses grep -rniE "error.*message.*\+|err\.Error\(\)|e\.getMessage\(\)" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php" ``` --- ## Unnecessary Features Enabled ### Detection Patterns ```bash # HTTP methods (should disable unused) grep -rniE "TRACE|OPTIONS|PUT|DELETE" --include="*.conf" --include="*.xml" # Unused ports grep -rniE "listen.*22|listen.*21|listen.*3306|listen.*5432" --include="*.conf" --include="*.yaml" # Development dependencies in production grep -rniE "devDependencies|dev-dependencies" --include="package.json" --include="Cargo.toml" ``` --- ## Framework-Specific Checks ### Django ```bash grep -rniE "DEBUG|SECRET_KEY|ALLOWED_HOSTS.*\*|CSRF_COOKIE_SECURE.*False|SESSION_COOKIE_SECURE.*False" --include="settings.py" ``` ### Spring Boot ```bash grep -rniE "management\.endpoints|spring\.datasource\.password|server\.error\.include-stacktrace" --include="*.properties" --include="*.yaml" ``` ### Express/Node.js ```bash grep -rniE "trust proxy|x-powered-by|helmet|NODE_ENV" --include="*.ts" --include="*.js" ``` ### Laravel ```bash grep -rniE "APP_DEBUG|APP_KEY|MAIL_PASSWORD|DB_PASSWORD" --include=".env" --include="*.php" ``` --- ## Verification Checklist - [ ] Debug mode disabled in production - [ ] No default credentials - [ ] Admin endpoints protected - [ ] Security headers implemented - [ ] TLS 1.2+ only - [ ] Certificate verification enabled - [ ] Directory listing disabled - [ ] CORS properly configured - [ ] Error messages sanitized - [ ] Unnecessary features disabled --- ## CWE References | CWE | Name | Example | |-----|------|---------| | CWE-16 | Configuration | Insecure default settings | | CWE-209 | Error Info Exposure | Stack traces to users | | CWE-215 | Debug Info Exposure | Debug endpoints accessible | | CWE-524 | Sensitive Info in Cache | Authenticated data cached by proxy | | CWE-548 | Directory Listing | autoindex on | | CWE-756 | Missing Error Page | Default error pages |
Related Skills
OWASP API Security Top 10
This skill should be used when the user asks about "API security", "OWASP API Top 10", "BOLA", "broken object level authorization", "API authentication", "mass assignment", "GraphQL security", "gRPC security", "rate limiting", "API abuse", "REST API vulnerabilities", or needs to identify API-specific security issues during whitebox security review.
Cloud-Native Security
This skill should be used when the user asks about "cloud security", "AWS security", "GCP security", "Azure security", "Kubernetes security", "IMDS", "instance metadata", "S3 bucket policy", "IAM", "serverless security", "Lambda security", "container security", "cloud misconfiguration", "SSRF to cloud metadata", or needs to identify cloud-native security issues during whitebox security review.
Workspace Discovery
This skill should be used when the user asks to "detect workspaces", "find packages", "list monorepo packages", "workspace structure", "monorepo analysis", or needs to identify workspace/package boundaries in a codebase for focused security analysis.
vulnerability-chains
This skill should be used when the user asks about "vulnerability chains", "chained exploits", "multi-step attacks", "SSRF to RCE", "pivot attacks", or needs to identify how vulnerabilities in different components can be combined during whitebox security review.
Vulnerability Patterns
This skill should be used when the user asks about "vulnerability patterns", "how to find SQL injection", "XSS patterns", "command injection techniques", "OWASP vulnerabilities", "common web vulnerabilities", "exploitation patterns", or needs to understand how specific vulnerability classes work during whitebox security review.
Threat Modeling
This skill should be used when the user asks about "threat model", "STRIDE", "data flow diagram", "attack surface", "threat analysis", "security architecture", "component threats", "trust boundaries", "technology decomposition", or needs systematic threat identification during whitebox security review.
verify-finding
Drive a single finding through CPG verification and false-positive triage.
start-audit
Guided first-run security audit: doctor, scope, threats, scan, verify, report.
scope-repo
Decide audit boundaries for large or monorepo targets and write audit-plan.md.
review-pr
Diff-aware PR security review with verified findings and PR comment payload.
package-evidence
Bundle findings, reports, audit plan, and ledger into one evidence zip.
Sensitive Data Leakage
Detect ANY credential/secret flowing to ANY output sink. Use when asked about "credential leakage", "secret logging", "sensitive data exposure", "CWE-532", "password in logs", "token exposure", or security logging issues.