Security Misconfiguration

This skill should be used when the user asks about "security misconfiguration", "default credentials", "debug mode", "security headers", "exposed endpoints", "TLS configuration", or needs to find configuration-related vulnerabilities during whitebox security review.

14 stars

Best use case

Security Misconfiguration is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

This skill should be used when the user asks about "security misconfiguration", "default credentials", "debug mode", "security headers", "exposed endpoints", "TLS configuration", or needs to find configuration-related vulnerabilities during whitebox security review.

Teams using Security Misconfiguration should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/security-misconfiguration/SKILL.md --create-dirs "https://raw.githubusercontent.com/allsmog/vuln-scout/main/vuln-scout/skills/security-misconfiguration/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/security-misconfiguration/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How Security Misconfiguration Compares

Feature / AgentSecurity MisconfigurationStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

This skill should be used when the user asks about "security misconfiguration", "default credentials", "debug mode", "security headers", "exposed endpoints", "TLS configuration", or needs to find configuration-related vulnerabilities during whitebox security review.

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# Security Misconfiguration (OWASP A05)

## Purpose

Provide detection patterns for security misconfiguration vulnerabilities including default credentials, debug mode exposure, missing security headers, and insecure TLS settings.

## OWASP Top 10 Mapping

**Category**: A05 - Security Misconfiguration

**CWEs**:
- CWE-16: Configuration
- CWE-209: Information Exposure Through Error Messages
- CWE-215: Information Exposure Through Debug Information
- CWE-548: Information Exposure Through Directory Listing
- CWE-756: Missing Custom Error Page

## When to Use

Activate this skill when:
- Reviewing application configuration files
- Checking for exposed debug/admin endpoints
- Auditing security header implementation
- Verifying TLS/SSL configuration
- Looking for default or weak credentials

---

## Debug Mode Enabled

### Detection Patterns

#### Python (Django/Flask)

```bash
# Django debug mode
grep -rniE "DEBUG\s*=\s*True" --include="*.py" --include="settings.py"

# Flask debug mode
grep -rniE "app\.debug\s*=\s*True|FLASK_DEBUG|debug=True" --include="*.py"

# Environment files
grep -rniE "DEBUG=1|DEBUG=true|DEBUG=True" --include="*.env" --include=".env*"
```

#### Java (Spring)

```bash
# Spring DevTools / Debug
grep -rniE "spring\.devtools|management\.endpoints\.web\.exposure|actuator" --include="*.properties" --include="*.yaml" --include="*.yml"

# Exposed actuator endpoints
grep -rniE "exposure\.include.*\*|exposure\.include.*health,info,env" --include="*.properties" --include="*.yaml"
```

#### PHP

```bash
# Display errors
grep -rniE "display_errors.*On|display_errors.*1|error_reporting.*E_ALL" --include="*.php" --include="php.ini"

# Laravel debug
grep -rniE "APP_DEBUG=true|'debug'.*=>.*true" --include="*.env" --include="*.php"
```

#### Go

```bash
# Gin debug mode
grep -rniE "gin\.SetMode.*gin\.DebugMode|GIN_MODE=debug" --include="*.go" --include="*.env"

# pprof enabled
grep -rniE "net/http/pprof|/debug/pprof" --include="*.go"
```

#### TypeScript/Node.js

```bash
# Debug environment
grep -rniE "NODE_ENV.*development|DEBUG=\*|debug.*true" --include="*.ts" --include="*.js" --include="*.env"
```

---

## Default Credentials

### Detection Patterns

```bash
# Common default passwords
grep -rniE "password.*['\"]admin['\"]|password.*['\"]123456['\"]|password.*['\"]password['\"]|password.*['\"]root['\"]|password.*['\"]test['\"]" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"

# Default usernames with passwords
grep -rniE "admin.*admin|root.*root|user.*password|test.*test" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php" --include="*.env" --include="*.yaml"

# Database defaults
grep -rniE "postgres.*postgres|mysql.*root|mongodb.*admin" --include="*.env" --include="*.yaml" --include="*.properties"
```

### Common Default Credentials to Check

| Service | Username | Password |
|---------|----------|----------|
| PostgreSQL | postgres | postgres |
| MySQL | root | (empty) |
| MongoDB | admin | admin |
| Redis | (none) | (none) |
| RabbitMQ | guest | guest |
| Elasticsearch | elastic | changeme |
| Jenkins | admin | admin |
| Grafana | admin | admin |

---

## Exposed Admin/Debug Endpoints

### Detection Patterns

```bash
# Admin routes
grep -rniE "[\"\'/]admin|[\"\'/]_admin|[\"\'/]administrator" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"

# Debug/Dev endpoints
grep -rniE "[\"\'/]debug|[\"\'/]_debug|[\"\'/]dev|[\"\'/]test" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"

# Internal endpoints
grep -rniE "[\"\'/]internal|[\"\'/]private|[\"\'/]system" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"

# Monitoring endpoints
grep -rniE "[\"\'/]metrics|[\"\'/]health|[\"\'/]status|[\"\'/]actuator|[\"\'/]swagger|[\"\'/]graphql" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"
```

### Framework-Specific Endpoints

| Framework | Endpoint | Risk |
|-----------|----------|------|
| Spring Boot | /actuator/* | Env vars, heap dump |
| Django | /admin/ | Admin panel |
| Rails | /rails/info | Version disclosure |
| Laravel | /telescope | Debug info |
| Express | /graphql | Introspection |
| Go pprof | /debug/pprof | Memory/CPU profiling |

---

## Missing Security Headers

### Detection Patterns

```bash
# Look for header setting code
grep -rniE "Content-Security-Policy|X-Frame-Options|X-Content-Type-Options|Strict-Transport-Security|X-XSS-Protection" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"

# Middleware/interceptor configuration
grep -rniE "helmet|securityHeaders|addHeader|setHeader.*security" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"
```

### Required Security Headers

| Header | Value | Purpose |
|--------|-------|---------|
| Content-Security-Policy | `default-src 'self'` | Prevent XSS |
| X-Frame-Options | `DENY` | Prevent clickjacking |
| X-Content-Type-Options | `nosniff` | Prevent MIME sniffing |
| Strict-Transport-Security | `max-age=31536000` | Force HTTPS |
| X-XSS-Protection | `1; mode=block` | XSS filter (legacy) |
| Referrer-Policy | `strict-origin-when-cross-origin` | Control referrer |
| Permissions-Policy | `geolocation=()` | Limit browser features |

---

## TLS/SSL Misconfiguration

### Detection Patterns

```bash
# Insecure TLS versions
grep -rniE "SSLv2|SSLv3|TLSv1\.0|TLSv1\.1|ssl\.PROTOCOL_SSLv|TLS_RSA_" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"

# Disabled certificate verification
grep -rniE "verify.*false|InsecureSkipVerify.*true|VERIFY_NONE|verify_ssl.*False|rejectUnauthorized.*false" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"

# Weak ciphers
grep -rniE "DES|RC4|MD5|NULL|EXPORT|anon" --include="*.go" --include="*.py" --include="*.java" --include="*.conf"
```

### Secure TLS Configuration

**Minimum**: TLS 1.2
**Recommended**: TLS 1.3

**Safe cipher suites**:
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256

---

## Directory Listing

### Detection Patterns

```bash
# Nginx
grep -rniE "autoindex\s+on" --include="*.conf" --include="nginx.conf"

# Apache
grep -rniE "Options.*Indexes|DirectoryIndex" --include="*.conf" --include=".htaccess"

# Application-level
grep -rniE "directory.*listing|listFiles|readdir" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"
```

---

## Proxy Cache Misconfiguration

### Overview

Proxy caches (Nginx, Varnish, CDN) can expose sensitive data if:
- Authenticated responses are cached based on file extension
- Cache key doesn't include session/auth identifiers
- Dynamic paths are cached as static content

**See also**: `cache-poisoning` skill for comprehensive cache attack patterns.

### Detection Patterns

```bash
# Nginx proxy cache configuration
grep -rniE "proxy_cache|proxy_cache_valid|proxy_cache_key" --include="*.conf" --include="nginx.conf"

# CRITICAL: Cache rules for static extensions on dynamic paths
grep -rniE "location.*\.(css|js|png|jpg|jpeg|gif|ico|svg)" -A10 --include="*.conf" | grep -iE "proxy_cache|cache"

# Missing cache bypass for authenticated requests
grep -rniE "proxy_cache_bypass|proxy_no_cache" --include="*.conf"

# Varnish cache rules
grep -rniE "vcl_recv|vcl_hash|set beresp\.ttl" --include="*.vcl"
```

### Security Checklist

- [ ] Authenticated responses excluded from cache (`proxy_cache_bypass $http_authorization`)
- [ ] Cache key includes user identifier for personalized content
- [ ] Cache-Control: private set for authenticated endpoints
- [ ] Vary: Authorization header used appropriately

---

## CORS Misconfiguration

### Detection Patterns

```bash
# Wildcard origin
grep -rniE "Access-Control-Allow-Origin.*\*|AllowAllOrigins|cors.*origin.*\*" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"

# Dynamic origin reflection (vulnerable)
grep -rniE "Origin.*header|request\.headers\.origin|getHeader.*Origin" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"

# Credentials with wildcard (invalid but attempted)
grep -rniE "Access-Control-Allow-Credentials.*true" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"
```

---

## Verbose Error Messages

### Detection Patterns

```bash
# Stack traces in responses
grep -rniE "printStackTrace|traceback|\.stack|debug.*true.*error" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"

# Detailed error responses
grep -rniE "error.*message.*\+|err\.Error\(\)|e\.getMessage\(\)" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"
```

---

## Unnecessary Features Enabled

### Detection Patterns

```bash
# HTTP methods (should disable unused)
grep -rniE "TRACE|OPTIONS|PUT|DELETE" --include="*.conf" --include="*.xml"

# Unused ports
grep -rniE "listen.*22|listen.*21|listen.*3306|listen.*5432" --include="*.conf" --include="*.yaml"

# Development dependencies in production
grep -rniE "devDependencies|dev-dependencies" --include="package.json" --include="Cargo.toml"
```

---

## Framework-Specific Checks

### Django

```bash
grep -rniE "DEBUG|SECRET_KEY|ALLOWED_HOSTS.*\*|CSRF_COOKIE_SECURE.*False|SESSION_COOKIE_SECURE.*False" --include="settings.py"
```

### Spring Boot

```bash
grep -rniE "management\.endpoints|spring\.datasource\.password|server\.error\.include-stacktrace" --include="*.properties" --include="*.yaml"
```

### Express/Node.js

```bash
grep -rniE "trust proxy|x-powered-by|helmet|NODE_ENV" --include="*.ts" --include="*.js"
```

### Laravel

```bash
grep -rniE "APP_DEBUG|APP_KEY|MAIL_PASSWORD|DB_PASSWORD" --include=".env" --include="*.php"
```

---

## Verification Checklist

- [ ] Debug mode disabled in production
- [ ] No default credentials
- [ ] Admin endpoints protected
- [ ] Security headers implemented
- [ ] TLS 1.2+ only
- [ ] Certificate verification enabled
- [ ] Directory listing disabled
- [ ] CORS properly configured
- [ ] Error messages sanitized
- [ ] Unnecessary features disabled

---

## CWE References

| CWE | Name | Example |
|-----|------|---------|
| CWE-16 | Configuration | Insecure default settings |
| CWE-209 | Error Info Exposure | Stack traces to users |
| CWE-215 | Debug Info Exposure | Debug endpoints accessible |
| CWE-524 | Sensitive Info in Cache | Authenticated data cached by proxy |
| CWE-548 | Directory Listing | autoindex on |
| CWE-756 | Missing Error Page | Default error pages |

Related Skills

OWASP API Security Top 10

14
from allsmog/vuln-scout

This skill should be used when the user asks about "API security", "OWASP API Top 10", "BOLA", "broken object level authorization", "API authentication", "mass assignment", "GraphQL security", "gRPC security", "rate limiting", "API abuse", "REST API vulnerabilities", or needs to identify API-specific security issues during whitebox security review.

Cloud-Native Security

14
from allsmog/vuln-scout

This skill should be used when the user asks about "cloud security", "AWS security", "GCP security", "Azure security", "Kubernetes security", "IMDS", "instance metadata", "S3 bucket policy", "IAM", "serverless security", "Lambda security", "container security", "cloud misconfiguration", "SSRF to cloud metadata", or needs to identify cloud-native security issues during whitebox security review.

Workspace Discovery

14
from allsmog/vuln-scout

This skill should be used when the user asks to "detect workspaces", "find packages", "list monorepo packages", "workspace structure", "monorepo analysis", or needs to identify workspace/package boundaries in a codebase for focused security analysis.

vulnerability-chains

14
from allsmog/vuln-scout

This skill should be used when the user asks about "vulnerability chains", "chained exploits", "multi-step attacks", "SSRF to RCE", "pivot attacks", or needs to identify how vulnerabilities in different components can be combined during whitebox security review.

Vulnerability Patterns

14
from allsmog/vuln-scout

This skill should be used when the user asks about "vulnerability patterns", "how to find SQL injection", "XSS patterns", "command injection techniques", "OWASP vulnerabilities", "common web vulnerabilities", "exploitation patterns", or needs to understand how specific vulnerability classes work during whitebox security review.

Threat Modeling

14
from allsmog/vuln-scout

This skill should be used when the user asks about "threat model", "STRIDE", "data flow diagram", "attack surface", "threat analysis", "security architecture", "component threats", "trust boundaries", "technology decomposition", or needs systematic threat identification during whitebox security review.

verify-finding

14
from allsmog/vuln-scout

Drive a single finding through CPG verification and false-positive triage.

start-audit

14
from allsmog/vuln-scout

Guided first-run security audit: doctor, scope, threats, scan, verify, report.

scope-repo

14
from allsmog/vuln-scout

Decide audit boundaries for large or monorepo targets and write audit-plan.md.

review-pr

14
from allsmog/vuln-scout

Diff-aware PR security review with verified findings and PR comment payload.

package-evidence

14
from allsmog/vuln-scout

Bundle findings, reports, audit plan, and ledger into one evidence zip.

Sensitive Data Leakage

14
from allsmog/vuln-scout

Detect ANY credential/secret flowing to ANY output sink. Use when asked about "credential leakage", "secret logging", "sensitive data exposure", "CWE-532", "password in logs", "token exposure", or security logging issues.