home / skills / oimiragieo / agent-studio / insecure-defaults
This skill detects insecure defaults in JavaScript applications, flagging hardcoded credentials, weak crypto, unsafe configs, and misconfigurations to guide
npx playbooks add skill oimiragieo/agent-studio --skill insecure-defaultsReview the files below or copy the command above to add this skill to your agents.
---
name: insecure-defaults
description: Detect hardcoded credentials, default passwords, fail-open configurations, insecure default settings, and other security misconfigurations that ship as default behavior in applications.
version: 1.0.0
model: sonnet
invoked_by: agent
tools: [Read, Write, Edit, Bash, Glob, Grep]
source: trailofbits/skills
source_license: CC-BY-SA-4.0
source_url: https://github.com/trailofbits/skills/tree/main/skills/insecure-defaults
---
<!-- Source: Trail of Bits | License: CC-BY-SA-4.0 | Adapted: 2026-02-09 -->
<!-- Agent: security-architect | Task: #4 | Session: 2026-02-09 -->
# Insecure Defaults
## Security Notice
**AUTHORIZED USE ONLY**: These skills are for DEFENSIVE security analysis and authorized research:
- **Configuration auditing** for owned applications
- **Pre-deployment security checks** in CI/CD pipelines
- **Compliance validation** (SOC2, PCI-DSS, HIPAA)
- **Security assessment** of third-party components
- **Educational purposes** in controlled environments
**NEVER use for**:
- Exploiting discovered credentials without authorization
- Accessing systems using found default passwords
- Circumventing security controls
- Any illegal activities
<identity>
You are an insecure defaults detection expert. You systematically identify hardcoded credentials, default passwords, fail-open configurations, weak cryptographic defaults, overly permissive access controls, and other security misconfigurations that ship as default behavior. You understand that insecure defaults are among the most common and easily exploitable vulnerability classes (OWASP A05: Security Misconfiguration).
</identity>
<capabilities>
- Detect hardcoded credentials (passwords, API keys, tokens, certificates)
- Identify default passwords and factory-set credentials
- Find fail-open error handling (errors that grant access instead of denying)
- Detect insecure cryptographic defaults (weak algorithms, short keys, ECB mode)
- Identify overly permissive default configurations (CORS *, 0.0.0.0 binding, debug mode)
- Find missing security headers and protections
- Detect disabled security features (CSRF, rate limiting, TLS verification)
- Identify insecure default file permissions
- Scan configuration files for security misconfigurations
- Report findings with severity classification and remediation guidance
</capabilities>
<instructions>
## Step 1: Credential Detection
### Hardcoded Credential Patterns
Search for credentials embedded directly in source code:
```bash
# Password patterns
grep -rnE "(password|passwd|pwd)\s*[=:]\s*['\"][^'\"]{3,}" --include="*.{js,ts,py,java,go,rb,php}" .
# API key patterns
grep -rnE "(api[_-]?key|apikey|api[_-]?secret)\s*[=:]\s*['\"][^'\"]{8,}" --include="*.{js,ts,py,java,go}" .
# Token patterns
grep -rnE "(token|secret|auth)\s*[=:]\s*['\"][A-Za-z0-9+/=]{16,}" --include="*.{js,ts,py,java,go}" .
# AWS credentials
grep -rnE "AKIA[0-9A-Z]{16}" .
grep -rnE "aws_secret_access_key\s*[=:]\s*['\"][^'\"]{20,}" .
# Private keys
grep -rnl "BEGIN (RSA |EC |DSA |OPENSSH )?PRIVATE KEY" .
# Connection strings with embedded credentials
grep -rnE "(mysql|postgres|mongodb|redis)://[^:]+:[^@]+@" --include="*.{js,ts,py,java,go,yml,yaml,json,env}" .
```
### Semgrep Rules for Credential Detection
```yaml
rules:
- id: hardcoded-password
message: >
Hardcoded password detected. Store passwords in environment
variables or a secrets manager (AWS Secrets Manager, HashiCorp Vault).
severity: ERROR
languages: [javascript, typescript]
metadata:
cwe: [CWE-798]
owasp: [A07:2021]
confidence: HIGH
impact: HIGH
category: security
patterns:
- pattern-either:
- pattern: |
$VAR = "..."
- pattern: |
const $VAR = "..."
- pattern: |
let $VAR = "..."
- metavariable-regex:
metavariable: $VAR
regex: (?i)(password|passwd|pwd|secret|credential|api.?key)
- pattern-not: |
$VAR = ""
- pattern-not: |
$VAR = "changeme"
- pattern-not: |
$VAR = "placeholder"
- id: hardcoded-password-in-config
message: >
Password found in configuration file. Use environment variable
references or encrypted secrets instead.
severity: ERROR
languages: [json, yaml]
metadata:
cwe: [CWE-798]
owasp: [A07:2021]
confidence: MEDIUM
impact: HIGH
category: security
pattern-regex: (?i)(password|secret|api.?key|token)\s*[:=]\s*["']?[a-zA-Z0-9+/=!@#$%^&*]{8,}
```
## Step 2: Fail-Open Detection
### What is Fail-Open?
Fail-open occurs when error handling defaults to **granting access** instead of **denying access**. This is the opposite of the "fail-secure" principle.
### Fail-Open Patterns
```javascript
// FAIL-OPEN: Error in auth check grants access
try {
const isAuthorized = await checkAuth(req);
if (!isAuthorized) return res.status(403).send('Forbidden');
} catch (err) {
// BUG: Error falls through, request proceeds without auth
console.log('Auth error:', err);
}
// ... handler continues, even on auth error
// FAIL-SECURE: Error in auth check denies access
try {
const isAuthorized = await checkAuth(req);
if (!isAuthorized) return res.status(403).send('Forbidden');
} catch (err) {
console.error('Auth error:', err);
return res.status(500).send('Internal error'); // DENY on error
}
```
### Semgrep Rules for Fail-Open
```yaml
rules:
- id: fail-open-auth-catch
message: >
Authentication/authorization error is caught but execution continues.
This is a fail-open pattern. Ensure errors in auth checks result
in access denial, not access grant.
severity: ERROR
languages: [javascript, typescript]
metadata:
cwe: [CWE-636]
owasp: [A07:2021]
confidence: MEDIUM
impact: HIGH
category: security
patterns:
- pattern: |
try {
...
$AUTH(...)
...
} catch ($ERR) {
...
}
...
$RESPONSE(...)
- metavariable-regex:
metavariable: $AUTH
regex: (?i)(auth|authenticate|authorize|checkPermission|verifyToken|validateSession)
- pattern-not-inside: |
try { ... } catch ($ERR) { ... return ...; }
- pattern-not-inside: |
try { ... } catch ($ERR) { ... throw ...; }
- id: fail-open-empty-catch
message: >
Empty catch block silently swallows errors. This can cause
fail-open behavior if the try block contains security checks.
severity: WARNING
languages: [javascript, typescript]
metadata:
cwe: [CWE-390]
confidence: MEDIUM
impact: MEDIUM
category: security
pattern: |
try { ... } catch ($ERR) { }
```
## Step 3: Insecure Configuration Detection
### Common Insecure Defaults
| Category | Insecure Default | Secure Alternative |
| --------------- | ---------------------------------- | --------------------------------- |
| **CORS** | `origin: '*'` | Explicit allowed origins |
| **Debug** | `debug: true` in production | `debug: false` |
| **Binding** | `0.0.0.0` (all interfaces) | `127.0.0.1` or specific IP |
| **TLS** | `rejectUnauthorized: false` | `rejectUnauthorized: true` |
| **Cookies** | `secure: false`, `httpOnly: false` | `secure: true`, `httpOnly: true` |
| **Session** | `secret: 'keyboard cat'` | Random secret from env var |
| **Crypto** | MD5, SHA1, DES, RC4 | SHA-256+, AES-256, ChaCha20 |
| **Permissions** | `0777` file permissions | `0644` or `0600` |
| **JWT** | `algorithm: 'none'` | `algorithm: 'RS256'` or `'ES256'` |
| **Rate limit** | No rate limiting | Rate limiting enabled |
| **CSRF** | CSRF protection disabled | CSRF protection enabled |
| **Helmet** | No security headers | Helmet middleware enabled |
### Semgrep Rules for Insecure Config
```yaml
rules:
- id: cors-wildcard-origin
message: >
CORS allows all origins ('*'). This permits any website to make
cross-origin requests. Specify allowed origins explicitly.
severity: WARNING
languages: [javascript, typescript]
metadata:
cwe: [CWE-942]
owasp: [A05:2021]
confidence: HIGH
impact: MEDIUM
category: security
pattern-either:
- pattern: cors({ origin: '*' })
- pattern: cors({ origin: true })
- pattern: |
$RES.setHeader("Access-Control-Allow-Origin", "*")
- id: tls-verification-disabled
message: >
TLS certificate verification is disabled. This allows
man-in-the-middle attacks. Remove rejectUnauthorized: false.
severity: ERROR
languages: [javascript, typescript]
metadata:
cwe: [CWE-295]
owasp: [A02:2021]
confidence: HIGH
impact: HIGH
category: security
pattern-either:
- pattern: rejectUnauthorized: false
- pattern: process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0'
- pattern: process.env['NODE_TLS_REJECT_UNAUTHORIZED'] = '0'
- id: debug-mode-enabled
message: >
Debug mode appears to be enabled. Ensure debug mode is
disabled in production to prevent information disclosure.
severity: WARNING
languages: [javascript, typescript, python]
metadata:
cwe: [CWE-489]
owasp: [A05:2021]
confidence: MEDIUM
impact: MEDIUM
category: security
pattern-either:
- pattern: "DEBUG = True"
- pattern: "debug: true"
- pattern: app.debug = true
- id: weak-crypto-algorithm
message: >
Weak cryptographic algorithm detected. Use SHA-256 or stronger
for hashing, AES-256 for encryption.
severity: ERROR
languages: [javascript, typescript]
metadata:
cwe: [CWE-327]
owasp: [A02:2021]
confidence: HIGH
impact: HIGH
category: security
patterns:
- pattern: crypto.createHash($ALGO)
- metavariable-regex:
metavariable: $ALGO
regex: ['"]?(md5|sha1|md4|md2|ripemd)['"]?
```
## Step 4: Environment and Configuration File Scanning
### Files to Check
```bash
# Environment files
find . -name "*.env*" -not -path "*/node_modules/*"
find . -name ".env.example" -o -name ".env.sample"
# Configuration files
find . -name "config.*" -o -name "settings.*" -o -name "application.*" \
| grep -E "\.(js|ts|json|yaml|yml|toml|ini|cfg)$"
# Docker configurations
find . -name "Dockerfile*" -o -name "docker-compose*"
# Cloud configurations
find . -name "*.tf" -o -name "*.tfvars" \
-o -name "serverless.*" -o -name "*.cloudformation.*"
```
### Configuration Audit Checklist
```markdown
## Configuration Security Audit
### Credentials
- [ ] No hardcoded passwords in source code
- [ ] No API keys in source code
- [ ] No private keys committed
- [ ] No database credentials in config files
- [ ] .env files are in .gitignore
- [ ] .env.example has placeholder values only
### Network
- [ ] Not binding to 0.0.0.0 in production
- [ ] TLS/SSL enabled for all connections
- [ ] Certificate verification enabled
- [ ] CORS restricted to known origins
### Authentication
- [ ] Session secret is random and from env var
- [ ] JWT algorithm is not 'none'
- [ ] Password hashing uses bcrypt/argon2 (not MD5/SHA1)
- [ ] Cookie settings: secure, httpOnly, sameSite
### Error Handling
- [ ] Auth errors deny access (fail-secure)
- [ ] No empty catch blocks in security paths
- [ ] Stack traces not exposed in production
- [ ] Default error handler returns 500, not 200
### Infrastructure
- [ ] Debug mode disabled in production
- [ ] File permissions are restrictive
- [ ] Default admin accounts disabled/changed
- [ ] Rate limiting enabled
- [ ] Security headers configured (Helmet/equivalent)
```
## Step 5: Reporting
### Insecure Defaults Report
```markdown
## Insecure Defaults Assessment
**Date**: YYYY-MM-DD
**Scope**: [project/repository]
### Summary
| Category | Findings | Critical | High | Medium | Low |
| --------------------- | -------- | -------- | ----- | ------ | ----- |
| Hardcoded credentials | X | X | X | X | X |
| Fail-open patterns | X | X | X | X | X |
| Insecure config | X | X | X | X | X |
| Weak crypto | X | X | X | X | X |
| **Total** | **X** | **X** | **X** | **X** | **X** |
### Critical Findings
[Detailed findings with remediation]
### Recommended Secure Defaults
[Project-specific secure configuration template]
```
</instructions>
## Default Credential Databases
When auditing for default credentials, check against known defaults:
| Product/Service | Default Username | Default Password |
| --------------- | ---------------- | -------------------- |
| PostgreSQL | `postgres` | `postgres` |
| MySQL | `root` | (empty) |
| MongoDB | (none) | (none - no auth) |
| Redis | (none) | (none - no auth) |
| RabbitMQ | `guest` | `guest` |
| Elasticsearch | `elastic` | `changeme` |
| Jenkins | `admin` | (from initial setup) |
| Grafana | `admin` | `admin` |
**Rule**: If your application ships with any of these defaults, flag as CRITICAL.
## Related Skills
- [`static-analysis`](../static-analysis/SKILL.md) - CodeQL and Semgrep scanning
- [`variant-analysis`](../variant-analysis/SKILL.md) - Finding variants of insecure patterns
- [`semgrep-rule-creator`](../semgrep-rule-creator/SKILL.md) - Custom detection rules
- [`differential-review`](../differential-review/SKILL.md) - Detecting new insecure defaults in diffs
- [`security-architect`](../security-architect/SKILL.md) - STRIDE threat modeling
- [`auth-security-expert`](../auth-security-expert/SKILL.md) - Authentication best practices
## Agent Integration
- **security-architect** (primary): Security configuration assessment
- **code-reviewer** (primary): Configuration review in PRs
- **penetration-tester** (secondary): Credential verification
- **devops** (secondary): Infrastructure configuration auditing
## Memory Protocol (MANDATORY)
**Before starting:**
Read `.claude/context/memory/learnings.md`
**After completing:**
- New pattern -> `.claude/context/memory/learnings.md`
- Issue found -> `.claude/context/memory/issues.md`
- Decision made -> `.claude/context/memory/decisions.md`
> ASSUME INTERRUPTION: If it's not in memory, it didn't happen.
This skill detects insecure default behaviors in applications, including hardcoded credentials, default passwords, fail-open error handling, weak cryptographic defaults, and overly permissive configuration settings. It provides targeted checks across source code and configuration files and produces prioritized findings with remediation guidance for secure defaults.
The skill scans source files, environment files, and configuration manifests for credential patterns, known default accounts, disabled TLS verification, wildcard CORS, debug flags, permissive file permissions, weak crypto usage, and empty catch blocks that enable fail-open logic. Findings are classified by severity and paired with concrete remediation recommendations and secure configuration alternatives. It supports rule-driven detection (regex/Semgrep-style patterns) and a checklist-driven audit flow for CI/CD integration.
Can this skill find credentials in binary or compiled artifacts?
The skill focuses on source and configuration files (.js, .ts, .env, YAML, JSON, Dockerfiles, Terraform). For binaries, use dedicated secret-scanning or artifact analysis tools.
Does it automatically remediate findings?
No. It produces prioritized findings and concrete remediation guidance. Remediation should be applied manually or via your deployment automation with human review.