Security Auditor

Identify and remediate security vulnerabilities in code.

When to Use

• Security review before deployment
• Auditing authentication/authorization
• Reviewing code handling sensitive data
• Checking for OWASP Top 10 vulnerabilities
• After a security incident

OWASP Top 10 Checklist

1. Broken Access Control

Check for:

• Missing authorization checks
• Insecure direct object references
• Path traversal vulnerabilities
• CORS misconfiguration

// Bad: No authorization check
app.get('/api/users/:id', async (req, res) => {
  const user = await User.findById(req.params.id);
  res.json(user);
});

// Good: Verify authorization
app.get('/api/users/:id', authenticate, async (req, res) => {
  if (req.user.id !== req.params.id && !req.user.isAdmin) {
    return res.status(403).json({ error: 'Forbidden' });
  }
  const user = await User.findById(req.params.id);
  res.json(user);
});

2. Cryptographic Failures

Check for:

• Sensitive data transmitted in clear text
• Weak cryptographic algorithms
• Hardcoded secrets
• Missing encryption at rest

// Bad: Weak hashing
const hash = crypto.createHash('md5').update(password).digest('hex');

// Good: Strong password hashing
const hash = await bcrypt.hash(password, 12);

3. Injection

Check for:

• SQL injection
• NoSQL injection
• Command injection
• LDAP injection

// Bad: SQL injection vulnerability
const query = `SELECT * FROM users WHERE id = ${userId}`;

// Good: Parameterized query
const query = 'SELECT * FROM users WHERE id = $1';
const result = await db.query(query, [userId]);

4. Insecure Design

Check for:

• Missing rate limiting
• No account lockout
• Lack of input validation
• Missing security headers

// Good: Rate limiting
import rateLimit from 'express-rate-limit';

const loginLimiter = rateLimit({
  windowMs: 15 * 60 * 1000, // 15 minutes
  max: 5, // 5 attempts
  message: 'Too many login attempts'
});

app.post('/login', loginLimiter, loginHandler);

5. Security Misconfiguration

Check for:

• Default credentials
• Unnecessary features enabled
• Missing security headers
• Verbose error messages

// Good: Security headers
app.use(helmet());
app.use(helmet.contentSecurityPolicy({
  directives: {
    defaultSrc: ["'self'"],
    scriptSrc: ["'self'"],
  }
}));

6. Vulnerable Components

Check for:

• Outdated dependencies
• Known vulnerable packages
• Unmaintained libraries

# Check for vulnerabilities
npm audit
pnpm audit

# Fix vulnerabilities
npm audit fix

7. Authentication Failures

Check for:

• Weak passwords allowed
• Missing MFA support
• Session fixation
• Credential stuffing vulnerability

// Good: Password requirements
const passwordSchema = z.string()
  .min(12, 'Minimum 12 characters')
  .regex(/[A-Z]/, 'Need uppercase')
  .regex(/[a-z]/, 'Need lowercase')
  .regex(/[0-9]/, 'Need number')
  .regex(/[^A-Za-z0-9]/, 'Need special character');

8. Data Integrity Failures

Check for:

• Missing integrity checks
• Unsigned updates
• Insecure deserialization

// Bad: Unsafe deserialization
const data = JSON.parse(untrustedInput);
eval(data.code);

// Good: Validate before use
const schema = z.object({
  name: z.string(),
  value: z.number()
});
const data = schema.parse(JSON.parse(untrustedInput));

9. Logging & Monitoring Failures

Check for:

• Missing audit logs
• No alerting on suspicious activity
• Sensitive data in logs

// Bad: Logging sensitive data
logger.info('User login', { username, password });

// Good: Redact sensitive fields
logger.info('User login', { username, password: '[REDACTED]' });

10. Server-Side Request Forgery (SSRF)

Check for:

• User-controlled URLs
• Internal service access
• Cloud metadata endpoints

// Bad: SSRF vulnerability
const response = await fetch(req.body.url);

// Good: Validate and allowlist
const allowedHosts = ['api.example.com'];
const url = new URL(req.body.url);
if (!allowedHosts.includes(url.hostname)) {
  throw new Error('Invalid URL');
}

Security Review Checklist

Authentication

• Passwords hashed with bcrypt/argon2 (cost factor ≥ 12)
• Session tokens are random and unpredictable
• Session expires after inactivity
• Password reset tokens expire quickly
• Account lockout after failed attempts

Authorization

• Every endpoint checks authorization
• Role-based access control implemented
• Principle of least privilege followed
• No reliance on client-side checks only

Input Validation

• All input validated on server side
• Allowlist validation preferred over blocklist
• File uploads validated (type, size, content)
• SQL queries use parameterized statements

Data Protection

• Sensitive data encrypted at rest
• HTTPS enforced everywhere
• Secure cookies (HttpOnly, Secure, SameSite)
• No secrets in code or logs

Headers & Configuration

• Security headers set (CSP, HSTS, etc.)
• CORS properly configured
• Debug mode disabled in production
• Error messages don't leak info

Report Format

## Security Audit Report

### Critical Issues
Issues requiring immediate attention.

#### [CRITICAL] SQL Injection in User Search
**Location**: `src/api/users.ts:45`
**Risk**: Database compromise, data theft
**Remediation**: Use parameterized queries

### High Severity
Significant vulnerabilities.

### Medium Severity
Issues that should be addressed.

### Low Severity
Minor issues and recommendations.

### Recommendations
General security improvements.

Quick Scan Commands

# Node.js dependency audit
npm audit --audit-level=high

# Python dependency scan
pip-audit

# Secret scanning
gitleaks detect

# SAST scanning
semgrep --config=auto .