Security Audit Skill

1. Secrets & Credentials

• Hardcoded API keys, tokens, passwords in source code
• Secrets in config files committed to Git (.env, config.json, settings.py)
• Secrets in logs — sensitive data printed in console.log, logger.info, etc.
• Secrets in error messages — stack traces or error responses leaking internals
• Secrets in comments — old credentials left in TODO or commented-out code
• Secrets in Git history — check if secrets were committed and later removed (still in history)

# Search for common secret patterns
grep -rn "password\|secret\|api_key\|apikey\|token\|private_key\|AWS_SECRET\|DATABASE_URL" --include="*.ts" --include="*.js" --include="*.py" --include="*.env" --include="*.json" --include="*.yaml" --include="*.yml" .

# Check for .env files committed
git ls-files | grep -i "\.env"

# Check git history for secrets
git log --all --diff-filter=D -- "*.env" "*.pem" "*.key"

• Is a

  .gitignore

  in place with

  .env

  ,

  *.pem

  ,

  *.key

  ,

  *.p12

  ?
• Are secrets loaded from environment variables or a vault (not files)?
• Is there a

  .env.example

  with placeholder values (not real secrets)?

2. Injection Attacks

SQL Injection

// 🔴 VULNERABLE — string concatenation in query
const user = await db.query(`SELECT * FROM users WHERE id = '${req.params.id}'`);

// ✅ SAFE — parameterized query
const user = await db.query('SELECT * FROM users WHERE id = $1', [req.params.id]);

NoSQL Injection

// 🔴 VULNERABLE — user input directly in query object
const user = await User.find({ username: req.body.username });

// ✅ SAFE — explicitly cast to string
const user = await User.find({ username: String(req.body.username) });

Command Injection

// 🔴 VULNERABLE — user input in shell command
exec(`convert ${req.body.filename} output.png`);

// ✅ SAFE — use execFile with arguments array
execFile('convert', [sanitizedFilename, 'output.png']);

XSS (Cross-Site Scripting)

// 🔴 VULNERABLE — unsanitized HTML rendering
element.innerHTML = userInput;
// React: dangerouslySetInnerHTML={{ __html: userInput }}

// ✅ SAFE — use textContent or sanitize
element.textContent = userInput;
// React: use DOMPurify.sanitize() before dangerouslySetInnerHTML

Path Traversal

// 🔴 VULNERABLE — user controls file path
const file = fs.readFileSync(`./uploads/${req.params.filename}`);

// ✅ SAFE — resolve and validate path stays within allowed directory
const safePath = path.resolve('./uploads', req.params.filename);
if (!safePath.startsWith(path.resolve('./uploads'))) throw new Error('Invalid path');

Template Injection

• Check for user input passed directly into template engines (Jinja2, EJS, Handlebars)
• Verify auto-escaping is enabled

3. Authentication & Authorization

Authentication Flaws

• Weak password requirements — no minimum length, complexity, or breach checking
• Missing rate limiting on login endpoints (brute force risk)
• Missing account lockout after failed attempts
• Insecure password storage — plaintext, MD5, SHA1 (use bcrypt/argon2 with proper cost)
• Missing MFA on sensitive operations
• Session tokens in URLs — tokens should be in headers or httpOnly cookies
• No session expiration — tokens that never expire

Authorization Flaws

• Missing authorization checks — endpoints accessible without verifying user permissions
• IDOR (Insecure Direct Object Reference) — accessing other users' data by changing an ID
• Privilege escalation — regular user can access admin endpoints
• Missing resource ownership checks — user A can modify user B's data

// 🔴 VULNERABLE — IDOR: no ownership check
app.get('/api/orders/:id', async (req, res) => {
  const order = await Order.findById(req.params.id);
  res.json(order);
});

// ✅ SAFE — verify ownership
app.get('/api/orders/:id', async (req, res) => {
  const order = await Order.findById(req.params.id);
  if (order.userId !== req.user.id) return res.status(403).json({ error: 'Forbidden' });
  res.json(order);
});

4. Data Exposure

• Sensitive data in API responses — returning passwords, tokens, SSNs, full credit card numbers
• Verbose error messages in production — stack traces, database details, internal paths
• Missing field filtering — returning entire database objects instead of specific fields
• Sensitive data in client-side storage — tokens in localStorage (use httpOnly cookies)
• PII in logs — names, emails, IPs logged without redaction
• Missing data encryption — sensitive data stored unencrypted at rest
• CORS misconfiguration —

  Access-Control-Allow-Origin: *

  on authenticated endpoints

// 🔴 VULNERABLE — leaking sensitive fields
res.json(user);

// ✅ SAFE — explicit field selection
res.json({
  id: user.id,
  name: user.name,
  email: user.email,
});

5. Input Validation

• Missing validation — no checks on request body, params, query strings
• Type confusion — expecting a number but accepting a string
• Missing length limits — unbounded input that could cause DoS
• Missing file upload validation — no checks on file type, size, or content
• Regex DoS (ReDoS) — catastrophic backtracking on malicious input
• Missing content-type validation — accepting unexpected content types

• Is there a validation library in use (Zod, Joi, class-validator, Pydantic)?
• Are all API endpoints validating input before processing?
• Are file uploads restricted by type, size, and scanned for malware?

6. Dependencies

# Node.js
npm audit
# or
npx better-npm-audit audit

# Python
pip audit
# or
safety check

# Check for outdated packages
npm outdated
pip list --outdated

• Known CVEs in dependencies
• Outdated packages with known vulnerabilities
• Abandoned packages — no updates in 2+ years
• Typosquatting risk — verify package names are correct
• Excessive permissions — packages requesting more access than needed
• Lockfile present — package-lock.json or yarn.lock committed

7. HTTP Security Headers

• Content-Security-Policy

  — prevents XSS and data injection

• Strict-Transport-Security

  — enforces HTTPS

• X-Content-Type-Options: nosniff

  — prevents MIME type sniffing

• X-Frame-Options: DENY

  — prevents clickjacking

• Referrer-Policy

  — controls referrer information

• Permissions-Policy

  — restricts browser features

# Check response headers
curl -I https://your-app.com

8. Cryptography

• Weak hashing — MD5 or SHA1 for passwords (use bcrypt, scrypt, or argon2)
• Weak encryption — DES, RC4, ECB mode (use AES-256-GCM)
• Hardcoded encryption keys — keys should be in environment variables or a vault
• Missing TLS — HTTP connections for sensitive data
• Weak JWT — using

  alg: none

  or HS256 with a short secret
• Predictable random values — using Math.random() for tokens (use crypto.randomBytes)

// 🔴 VULNERABLE — predictable token
const token = Math.random().toString(36);

// ✅ SAFE — cryptographically secure
const token = crypto.randomBytes(32).toString('hex');

9. Infrastructure & Configuration

• Debug mode in production — verbose errors, stack traces, debug endpoints
• Default credentials — admin/admin, root/root still active
• Unnecessary ports open — database ports exposed to the internet
• Missing rate limiting — no protection against DoS
• Missing request size limits — large payloads causing OOM
• Insecure CORS — wildcard origins on authenticated endpoints
• Missing CSRF protection — state-changing endpoints without CSRF tokens

10. Stack-Specific Checks

Node.js / Express

• Verify helmet middleware is installed and configured
• Check express.json() has a size limit:

  express.json({ limit: '10kb' })

• Verify cookie settings: httpOnly, secure, sameSite
• Check for prototype pollution in object merging (lodash.merge, Object.assign with user input)
• Verify child_process calls sanitize all inputs
• Check that express-rate-limit is applied to auth endpoints
• Look for event emitter memory leaks (missing removeListener)
• Verify no use of

  eval()

  ,

  Function()

  , or

  vm.runInNewContext()

  with user input

Python / Django

• Verify

  DEBUG = False

  in production settings
• Check

  ALLOWED_HOSTS

  is not

  ['*']

• Verify CSRF middleware is enabled
• Check for raw SQL queries without parameterization
• Verify

  SECRET_KEY

  is loaded from environment, not hardcoded
• Check for pickle deserialization of user input (RCE risk)
• Verify django-cors-headers is configured with specific origins
• Check that

  @login_required

  or permission classes are on all protected views
• Look for unsafe YAML loading (

  yaml.load()

  without

  Loader=SafeLoader

  )
• Verify

  SECURE_SSL_REDIRECT

  ,

  SESSION_COOKIE_SECURE

  ,

  CSRF_COOKIE_SECURE

  are True in production

Python / Flask

• Verify

  app.secret_key

  is not hardcoded
• Check for missing

  @login_required

  decorators on protected routes
• Verify Jinja2 auto-escaping is enabled (default in Flask, but check custom templates)
• Check that

  flask-talisman

  or similar is used for security headers
• Verify

  flask-limiter

  is applied to auth and sensitive endpoints
• Check for unsafe file uploads (missing

  secure_filename()

  from werkzeug)

React / Next.js

• Check for

  dangerouslySetInnerHTML

  with unsanitized input
• Verify no tokens stored in localStorage (use httpOnly cookies)
• Check for sensitive data in client-side code or bundle
• Verify environment variables use

  NEXT_PUBLIC_

  prefix only for non-sensitive values
• Check for open redirects in URL parameters
• Verify API routes have proper authentication middleware
• Check that Server Actions validate input and check authorization
• Look for sensitive data in

  getServerSideProps

  that leaks to

  pageProps

• Verify

  next.config.js

  has proper security headers configured
• Check for exposed source maps in production

Vue / Nuxt

• Check for

  v-html

  with unsanitized user input
• Verify no tokens stored in localStorage
• Check

  nuxt.config

  for exposed runtime config secrets
• Verify server middleware has authentication checks
• Check for sensitive data leaking from server to client via

  useAsyncData

  or

  useFetch

Ruby on Rails

• Verify

  config.force_ssl = true

  in production
• Check for

  html_safe

  or

  raw

  on user-supplied content
• Verify

  protect_from_forgery

  is enabled
• Check for mass assignment vulnerabilities (missing

  strong_parameters

  )
• Verify

  has_secure_password

  uses bcrypt
• Check for unsafe

  send()

  or

  constantize()

  with user input
• Verify

  config.filter_parameters

  includes sensitive fields

Go

• Check for SQL injection in

  fmt.Sprintf

  used in queries (use parameterized queries)
• Verify TLS configuration uses minimum TLS 1.2
• Check for path traversal in

  http.ServeFile

  or

  os.Open

• Verify proper error handling (no sensitive data in error responses)
• Check for race conditions on shared state (missing mutex)
• Verify

  crypto/rand

  is used instead of

  math/rand

  for security-sensitive values
• Check for unchecked type assertions that could cause panics

Java / Spring Boot

• Verify Spring Security is configured and not using

  permitAll()

  on sensitive endpoints
• Check for SQL injection in

  @Query

  annotations with string concatenation
• Verify CSRF protection is enabled (default in Spring Security)
• Check for deserialization vulnerabilities (Jackson, Java serialization)
• Verify

  @Valid

  annotation is present on request body parameters
• Check for hardcoded credentials in

  application.properties

  or

  application.yml

• Verify actuator endpoints are secured and not exposed publicly
• Check for Log4j/Log4Shell vulnerability in dependencies

PHP / Laravel

• Verify

  APP_DEBUG=false

  in production

  .env

• Check for raw SQL queries without parameter binding
• Verify CSRF middleware is applied to all POST/PUT/DELETE routes
• Check for

  eval()

  ,

  exec()

  ,

  system()

  with user input
• Verify file uploads use validation rules (mimes, max size)
• Check that

  Auth::check()

  or middleware guards protect sensitive routes
• Verify

  mass assignment

  protection via

  $fillable

  or

  $guarded

• Check for unsafe blade rendering with

  {!! !!}

  on user input

Mobile (React Native / Flutter)

• Check for sensitive data stored in AsyncStorage/SharedPreferences (use encrypted storage)
• Verify API keys are not embedded in the app bundle
• Check for certificate pinning on sensitive API calls
• Verify deep link handlers validate input before navigation
• Check for sensitive data in app logs (visible via adb logcat / Console.app)
• Verify biometric authentication properly validates server-side
• Check for insecure WebView configurations (JavaScript enabled with untrusted content)

Payment Security

• Verify PCI DSS compliance requirements are met
• Check that full credit card numbers are never stored or logged
• Verify payment processing uses tokenization
• Check that webhook endpoints validate signatures
• Verify refund endpoints have proper authorization and rate limiting
• Check that payment amounts are validated server-side (not trusted from client)
• Verify payment confirmation pages don't expose transaction details in URLs
• Check for race conditions in payment processing (double-charge risk)

AWS / Cloud Infrastructure

• Check for overly permissive IAM policies (

  "Action": "*"

  ,

  "Resource": "*"

  )
• Verify S3 buckets are not publicly accessible
• Check for unencrypted RDS instances or EBS volumes
• Verify security groups don't allow 0.0.0.0/0 on sensitive ports
• Check for hardcoded AWS credentials (use IAM roles instead)
• Verify CloudTrail logging is enabled
• Check for publicly accessible EC2 instances with sensitive services
• Verify secrets are stored in AWS Secrets Manager or Parameter Store

Docker / Containers

• Check for containers running as root
• Verify base images are from trusted sources and pinned to specific versions
• Check for secrets baked into Docker images (use build secrets or runtime env)
• Verify

  .dockerignore

  excludes

  .env

  ,

  .git

  ,

  node_modules

• Check for unnecessary packages installed in production images
• Verify health checks are configured
• Check for exposed ports that shouldn't be public

Output Format

• Vulnerability: What the issue is
• Risk: What an attacker could do with this
• Proof: How to exploit it (for internal team understanding)
• Fix: Exact code change to resolve it
• Reference: CWE or OWASP link if applicable

// vulnerable code
...

// fixed code
...

• 🔴 CRITICAL — Actively exploitable. Data breach, RCE, or full system compromise. Fix immediately.
• 🟠 HIGH — Exploitable with some effort. Significant data exposure or privilege escalation. Fix before next deploy.
• 🟡 MEDIUM — Requires specific conditions to exploit. Fix within current sprint.
• 🟢 LOW — Minor issue or defense-in-depth improvement. Fix when convenient.

Summary

1. Risk rating — Overall security posture (Critical / High / Medium / Low risk)
2. Critical findings count — Number of issues that need immediate attention
3. Top 3 most dangerous issues — Ranked by exploitability and impact
4. Quick wins — Fixes that take <30 minutes and significantly reduce risk
5. Recommendations — Longer-term improvements (WAF, security headers, dependency scanning in CI, etc.)
6. What's done well — Security practices already in place that should be maintained