Insecure Defaults

​

Overview

​

Vulnerability Categories

​

When to Use

• Security auditing production applications or services
• Configuration review of deployment manifests (Docker, Kubernetes, IaC)
• Pre-production checks before deploying new services
• Code review of authentication, authorization, or cryptographic code
• Environment variable handling analysis for secrets management
• API security review checking CORS, rate limiting, authentication
• Third-party integration review for hardcoded test credentials

​

When NOT to Use

• Test fixtures explicitly scoped to test environments (test/, spec/, __tests__/)
• Example/template files (.example, .template, .sample suffixes)
• Development-only tools (local Docker Compose for dev, debug scripts)
• Documentation examples in README.md or docs/ directories
• Build-time configuration that gets replaced during deployment
• Crash-on-missing behavior where app won’t start without proper config (fail-secure)

​

Installation

/plugin install insecure-defaults

​

Workflow

​

Category 1: Fallback Secrets

​

Vulnerable Patterns

# File: src/auth/jwt.py
SECRET_KEY = os.environ.get('SECRET_KEY', 'dev-secret-key-123')

# Used in security context
def create_token(user_id):
    return jwt.encode({'user_id': user_id}, SECRET_KEY, algorithm='HS256')

​

Secure Patterns

# File: src/auth/jwt.py
SECRET_KEY = os.environ['SECRET_KEY']  # Raises KeyError if missing

# App won't start without SECRET_KEY - fail-secure

​

Category 2: Default Credentials

​

Vulnerable Patterns

# File: src/models/user.py
def bootstrap_admin():
    """Create default admin account if none exists"""
    if not User.query.filter_by(role='admin').first():
        admin = User(
            username='admin',
            password=hash_password('admin123'),
            role='admin'
        )
        db.session.add(admin)
        db.session.commit()

​

Secure Patterns

# File: src/models/user.py
def bootstrap_admin():
    """Admin account MUST be configured via environment"""
    username = os.environ['ADMIN_USERNAME']
    password = os.environ['ADMIN_PASSWORD']

    if not User.query.filter_by(username=username).first():
        admin = User(username=username, password=hash_password(password), role='admin')
        db.session.add(admin)

​

Category 3: Fail-Open Security

​

Vulnerable Patterns

# File: config/security.py
REQUIRE_AUTH = os.getenv('REQUIRE_AUTH', 'false').lower() == 'true'

@app.before_request
def check_auth():
    if not REQUIRE_AUTH:
        return  # Skip auth check
    # ... auth logic

​

Secure Patterns

# File: config/security.py
REQUIRE_AUTH = os.getenv('REQUIRE_AUTH', 'true').lower() == 'true'  # Default: true

# Or better - crash if not explicitly configured
REQUIRE_AUTH = os.environ['REQUIRE_AUTH'].lower() == 'true'

​

Category 4: Weak Crypto

​

Vulnerable Patterns

# File: src/auth/passwords.py
import hashlib

def hash_password(password):
    """Hash user password"""
    return hashlib.md5(password.encode()).hexdigest()

• MD5 is cryptographically broken, rainbow tables exist
• DES has 56-bit keys (brute-forceable), ECB mode leaks patterns
• SHA1 collisions exist

​

Secure Patterns

# File: src/auth/passwords.py
import bcrypt

def hash_password(password):
    return bcrypt.hashpw(password.encode(), bcrypt.gensalt())

​

Category 5: Permissive Access

​

Vulnerable Patterns

# File: src/storage/files.py
def create_secure_file(path):
    fd = os.open(path, os.O_CREAT | os.O_WRONLY, 0o666)  # rw-rw-rw-
    return fd

• Any user can write to file (should be 0o600 or 0o644)
• Sensitive data exposed publicly
• CORS misconfiguration allows credential theft from any site

​

Search Patterns

grep -r "getenv.*\) or ['\"]" **/config/ **/auth/
grep -r "process\.env\.[A-Z_]+ \|\| ['\"]" src/
grep -r "ENV\.fetch.*default:" config/

grep -r "password.*=.*['\"][^'\"]{8,}['\"]" src/
grep -r "api[_-]?key.*=.*['\"][^'\"]+['\"]" config/
grep -r "secret.*=.*['\"][^'\"]+['\"]" --include="*.py" --include="*.js"

grep -r "DEBUG.*=.*true" config/
grep -r "AUTH.*=.*false" src/
grep -r "CORS.*=.*\*" server/

grep -r "MD5\|SHA1\|DES\|RC4\|ECB" src/auth/ src/crypto/

​

Rationalizations to Reject

​

Report Format

Finding: Hardcoded JWT Secret Fallback
Location: src/auth/jwt.ts:15
Pattern: const secret = process.env.JWT_SECRET || 'default';

Verification: App starts without JWT_SECRET; secret used in jwt.sign() at line 42
Production Impact: Dockerfile missing JWT_SECRET
Exploitation: Attacker forges JWTs using 'default', gains unauthorized access

Severity: CRITICAL

​

Related Skills

• Audit Context Building - Understand security architecture
• Differential Review - Review config changes in PRs