Stats
Actions
Tags
From vuln-scout
Detects security misconfigurations like enabled debug modes, default credentials, missing security headers, exposed endpoints, and TLS issues using grep patterns in Python/Django/Flask, Java/Spring, PHP/Laravel, Go/Gin, Node.js apps.
How this skill is triggered — by the user, by Claude, or both
Slash command
/vuln-scout:security-misconfigurationThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Provide detection patterns for security misconfiguration vulnerabilities including default credentials, debug mode exposure, missing security headers, and insecure TLS settings.
Provide detection patterns for security misconfiguration vulnerabilities including default credentials, debug mode exposure, missing security headers, and insecure TLS settings.
Category: A05 - Security Misconfiguration
CWEs:
Activate this skill when:
# Django debug mode
grep -rniE "DEBUG\s*=\s*True" --include="*.py" --include="settings.py"
# Flask debug mode
grep -rniE "app\.debug\s*=\s*True|FLASK_DEBUG|debug=True" --include="*.py"
# Environment files
grep -rniE "DEBUG=1|DEBUG=true|DEBUG=True" --include="*.env" --include=".env*"
# Spring DevTools / Debug
grep -rniE "spring\.devtools|management\.endpoints\.web\.exposure|actuator" --include="*.properties" --include="*.yaml" --include="*.yml"
# Exposed actuator endpoints
grep -rniE "exposure\.include.*\*|exposure\.include.*health,info,env" --include="*.properties" --include="*.yaml"
# Display errors
grep -rniE "display_errors.*On|display_errors.*1|error_reporting.*E_ALL" --include="*.php" --include="php.ini"
# Laravel debug
grep -rniE "APP_DEBUG=true|'debug'.*=>.*true" --include="*.env" --include="*.php"
# Gin debug mode
grep -rniE "gin\.SetMode.*gin\.DebugMode|GIN_MODE=debug" --include="*.go" --include="*.env"
# pprof enabled
grep -rniE "net/http/pprof|/debug/pprof" --include="*.go"
# Debug environment
grep -rniE "NODE_ENV.*development|DEBUG=\*|debug.*true" --include="*.ts" --include="*.js" --include="*.env"
# Common default passwords
grep -rniE "password.*['\"]admin['\"]|password.*['\"]123456['\"]|password.*['\"]password['\"]|password.*['\"]root['\"]|password.*['\"]test['\"]" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"
# Default usernames with passwords
grep -rniE "admin.*admin|root.*root|user.*password|test.*test" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php" --include="*.env" --include="*.yaml"
# Database defaults
grep -rniE "postgres.*postgres|mysql.*root|mongodb.*admin" --include="*.env" --include="*.yaml" --include="*.properties"
| Service | Username | Password |
|---|---|---|
| PostgreSQL | postgres | postgres |
| MySQL | root | (empty) |
| MongoDB | admin | admin |
| Redis | (none) | (none) |
| RabbitMQ | guest | guest |
| Elasticsearch | elastic | changeme |
| Jenkins | admin | admin |
| Grafana | admin | admin |
# Admin routes
grep -rniE "[\"\'/]admin|[\"\'/]_admin|[\"\'/]administrator" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"
# Debug/Dev endpoints
grep -rniE "[\"\'/]debug|[\"\'/]_debug|[\"\'/]dev|[\"\'/]test" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"
# Internal endpoints
grep -rniE "[\"\'/]internal|[\"\'/]private|[\"\'/]system" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"
# Monitoring endpoints
grep -rniE "[\"\'/]metrics|[\"\'/]health|[\"\'/]status|[\"\'/]actuator|[\"\'/]swagger|[\"\'/]graphql" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"
| Framework | Endpoint | Risk |
|---|---|---|
| Spring Boot | /actuator/* | Env vars, heap dump |
| Django | /admin/ | Admin panel |
| Rails | /rails/info | Version disclosure |
| Laravel | /telescope | Debug info |
| Express | /graphql | Introspection |
| Go pprof | /debug/pprof | Memory/CPU profiling |
# Look for header setting code
grep -rniE "Content-Security-Policy|X-Frame-Options|X-Content-Type-Options|Strict-Transport-Security|X-XSS-Protection" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"
# Middleware/interceptor configuration
grep -rniE "helmet|securityHeaders|addHeader|setHeader.*security" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"
| Header | Value | Purpose |
|---|---|---|
| Content-Security-Policy | default-src 'self' | Prevent XSS |
| X-Frame-Options | DENY | Prevent clickjacking |
| X-Content-Type-Options | nosniff | Prevent MIME sniffing |
| Strict-Transport-Security | max-age=31536000 | Force HTTPS |
| X-XSS-Protection | 1; mode=block | XSS filter (legacy) |
| Referrer-Policy | strict-origin-when-cross-origin | Control referrer |
| Permissions-Policy | geolocation=() | Limit browser features |
# Insecure TLS versions
grep -rniE "SSLv2|SSLv3|TLSv1\.0|TLSv1\.1|ssl\.PROTOCOL_SSLv|TLS_RSA_" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"
# Disabled certificate verification
grep -rniE "verify.*false|InsecureSkipVerify.*true|VERIFY_NONE|verify_ssl.*False|rejectUnauthorized.*false" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"
# Weak ciphers
grep -rniE "DES|RC4|MD5|NULL|EXPORT|anon" --include="*.go" --include="*.py" --include="*.java" --include="*.conf"
Minimum: TLS 1.2 Recommended: TLS 1.3
Safe cipher suites:
# Nginx
grep -rniE "autoindex\s+on" --include="*.conf" --include="nginx.conf"
# Apache
grep -rniE "Options.*Indexes|DirectoryIndex" --include="*.conf" --include=".htaccess"
# Application-level
grep -rniE "directory.*listing|listFiles|readdir" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"
Proxy caches (Nginx, Varnish, CDN) can expose sensitive data if:
See also: cache-poisoning skill for comprehensive cache attack patterns.
# Nginx proxy cache configuration
grep -rniE "proxy_cache|proxy_cache_valid|proxy_cache_key" --include="*.conf" --include="nginx.conf"
# CRITICAL: Cache rules for static extensions on dynamic paths
grep -rniE "location.*\.(css|js|png|jpg|jpeg|gif|ico|svg)" -A10 --include="*.conf" | grep -iE "proxy_cache|cache"
# Missing cache bypass for authenticated requests
grep -rniE "proxy_cache_bypass|proxy_no_cache" --include="*.conf"
# Varnish cache rules
grep -rniE "vcl_recv|vcl_hash|set beresp\.ttl" --include="*.vcl"
proxy_cache_bypass $http_authorization)# Wildcard origin
grep -rniE "Access-Control-Allow-Origin.*\*|AllowAllOrigins|cors.*origin.*\*" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"
# Dynamic origin reflection (vulnerable)
grep -rniE "Origin.*header|request\.headers\.origin|getHeader.*Origin" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"
# Credentials with wildcard (invalid but attempted)
grep -rniE "Access-Control-Allow-Credentials.*true" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"
# Stack traces in responses
grep -rniE "printStackTrace|traceback|\.stack|debug.*true.*error" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"
# Detailed error responses
grep -rniE "error.*message.*\+|err\.Error\(\)|e\.getMessage\(\)" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"
# HTTP methods (should disable unused)
grep -rniE "TRACE|OPTIONS|PUT|DELETE" --include="*.conf" --include="*.xml"
# Unused ports
grep -rniE "listen.*22|listen.*21|listen.*3306|listen.*5432" --include="*.conf" --include="*.yaml"
# Development dependencies in production
grep -rniE "devDependencies|dev-dependencies" --include="package.json" --include="Cargo.toml"
grep -rniE "DEBUG|SECRET_KEY|ALLOWED_HOSTS.*\*|CSRF_COOKIE_SECURE.*False|SESSION_COOKIE_SECURE.*False" --include="settings.py"
grep -rniE "management\.endpoints|spring\.datasource\.password|server\.error\.include-stacktrace" --include="*.properties" --include="*.yaml"
grep -rniE "trust proxy|x-powered-by|helmet|NODE_ENV" --include="*.ts" --include="*.js"
grep -rniE "APP_DEBUG|APP_KEY|MAIL_PASSWORD|DB_PASSWORD" --include=".env" --include="*.php"
| CWE | Name | Example |
|---|---|---|
| CWE-16 | Configuration | Insecure default settings |
| CWE-209 | Error Info Exposure | Stack traces to users |
| CWE-215 | Debug Info Exposure | Debug endpoints accessible |
| CWE-524 | Sensitive Info in Cache | Authenticated data cached by proxy |
| CWE-548 | Directory Listing | autoindex on |
| CWE-756 | Missing Error Page | Default error pages |
npx claudepluginhub allsmog/vuln-scout --plugin whitebox-pentestDetects insecure defaults, overly permissive CORS, exposed debug endpoints, and missing security headers in server configuration and middleware.
Detects fail-open insecure defaults like hardcoded secrets, weak auth, permissive configs, and env fallbacks that let apps run insecurely in production. For security audits, config reviews, and pre-deployment checks.
Detects fail-open insecure defaults like hardcoded secrets, weak auth, permissive configs, and env fallbacks that let apps run insecurely in production. For security audits, config reviews, and pre-deployment checks.