不安全默认配置检测工具 - 发现故障开放漏洞，提升应用安全审计效率

insecure-defaults by trailofbits/skills

1,100 周安装量

3,900 GitHub Stars

GitHub

安装命令

npx skills add https://github.com/trailofbits/skills --skill insecure-defaults

开发运维测试安全

🇨🇳中文介绍

不安全默认配置检测

发现应用程序在缺少配置时以不安全方式运行的故障开放漏洞。区分可利用的默认配置与安全崩溃的故障安全模式。

故障开放（严重）： SECRET = env.get('KEY') or 'default' → 应用程序使用弱密钥运行
故障安全（安全）： SECRET = env['KEY'] → 如果缺失，应用程序会崩溃

使用时机

生产应用程序的安全审计（认证、加密、API 安全）
部署文件、IaC 模板、Docker 配置的配置审查
环境变量处理和密钥管理的代码审查
部署前检查硬编码凭据或弱默认配置

不适用场景

请勿将此技能用于：

明确限定在测试环境的测试固件（位于 test/、spec/、__tests__/ 目录中的文件）

广告位招租

在这里展示您的产品或服务

触达数万 AI 开发者，精准高效

联系我们

应拒绝的合理化解释

“这只是开发默认值” → 如果它出现在生产代码中，就是一个发现项
“生产配置会覆盖它” → 验证生产配置是否存在；如果不存在，代码级漏洞仍然存在
“没有正确配置，这永远不会运行” → 通过代码追踪来证明；许多应用程序会静默失败
“这有身份验证保护” → 深度防御；会话被攻破后仍可利用弱默认配置
“我们会在发布前修复它” → 现在记录；“以后”很少会来

对每个潜在发现项遵循此工作流程：

1. 搜索：执行项目发现并查找不安全默认配置

确定语言、框架和项目约定。使用此信息进一步发现密钥存储位置、密钥使用模式、带凭据的第三方集成、加密以及任何其他相关配置。进一步利用信息分析不安全的默认配置。

示例在 **/config/、**/auth/、**/database/ 和环境文件中搜索模式：

回退密钥： getenv.*\) or ['"], process\.env\.[A-Z_]+ \|\| ['"], ENV\.fetch.*default:
硬编码凭据： password.*=.*['"][^'"]{8,}['"], api[_-]?key.*=.*['"][^'"]+['"]
弱默认配置： DEBUG.*=.*true, AUTH.*=.*false, CORS.*=.*\*
加密算法： 安全上下文中的 MD5|SHA1|DES|RC4|ECB

根据发现结果调整搜索方法。

关注可到达生产环境的代码，而非测试固件或示例文件。

2. 验证：实际行为

对每个匹配项，追踪代码路径以理解运行时行为。

需要回答的问题：

此代码何时执行？（启动时 vs. 运行时）
如果配置变量缺失会发生什么？
是否有强制执行安全配置的验证？

3. 确认：生产影响

确定此问题是否影响生产环境：

如果生产配置提供了变量 → 较低严重性（但仍是代码级漏洞）
如果生产配置缺失或使用默认值 → 严重

4. 报告：附带证据

发现项：硬编码的 JWT 密钥回退
位置：src/auth/jwt.ts:15
模式：const secret = process.env.JWT_SECRET || 'default';

验证：应用程序在没有 JWT_SECRET 的情况下启动；密钥在第 42 行的 jwt.sign() 中使用
生产影响：Dockerfile 缺少 JWT_SECRET
利用方式：攻击者使用 'default' 伪造 JWT，获得未授权访问

回退密钥： SECRET = env.get(X) or Y → 验证：应用程序在没有环境变量的情况下启动？密钥在加密/认证中使用？ → 跳过：测试固件、示例文件

默认凭据： 硬编码的 username/password 对 → 验证：在部署的配置中是否激活？没有运行时覆盖？ → 跳过：已禁用的账户、文档示例

故障开放安全： AUTH_REQUIRED = env.get(X, 'false') → 验证：默认值是否不安全（false/禁用/宽松）？ → 安全：应用程序崩溃或默认值是安全的（true/启用/限制）

弱加密： 安全上下文中的 MD5/SHA1/DES/RC4/ECB → 验证：用于密码、加密或令牌？ → 跳过：校验和、非安全哈希

宽松访问： CORS *、权限 0777、默认公开 → 验证：默认是否允许未授权访问？ → 跳过：有合理理由明确配置的宽松设置

调试功能： 堆栈跟踪、内省、详细错误 → 验证：默认启用？在响应中暴露？ → 跳过：仅限日志记录、不面向用户

有关详细示例和反例，请参阅 examples.md。

🇺🇸English

Insecure Defaults Detection

Finds fail-open vulnerabilities where apps run insecurely with missing configuration. Distinguishes exploitable defaults from fail-secure patterns that crash safely.

Fail-open (CRITICAL): SECRET = env.get('KEY') or 'default' → App runs with weak secret
Fail-secure (SAFE): SECRET = env['KEY'] → App crashes if missing

When to Use

Security audits of production applications (auth, crypto, API security)
Configuration review of deployment files, IaC templates, Docker configs
Code review of environment variable handling and secrets management
Pre-deployment checks for hardcoded credentials or weak defaults

When NOT to Use

Do not use this skill for:

Test fixtures explicitly scoped to test environments (files in test/, spec/, __tests__/)
Example/template files (.example, .template, .sample suffixes)
Development-only tools (local Docker Compose for dev, debug scripts)
Documentation examples in README.md or docs/ directories
Build-time configuration that gets replaced during deployment
Crash-on-missing behavior where app won't start without proper config (fail-secure)

When in doubt: trace the code path to determine if the app runs with the default or crashes.

Rationalizations to Reject

"It's just a development default" → If it reaches production code, it's a finding
"The production config overrides it" → Verify prod config exists; code-level vulnerability remains if not
"This would never run without proper config" → Prove it with code trace; many apps fail silently
"It's behind authentication" → Defense in depth; compromised session still exploits weak defaults
"We'll fix it before release" → Document now; "later" rarely comes

Workflow

Follow this workflow for every potential finding:

1. SEARCH: Perform Project Discovery and Find Insecure Defaults

Determine language, framework, and project conventions. Use this information to further discover things like secret storage locations, secret usage patterns, credentialed third-party integrations, cryptography, and any other relevant configuration. Further use information to analyze insecure default configurations.

Example Search for patterns in **/config/, **/auth/, **/database/, and env files:

Fallback secrets: getenv.*\) or ['"], process\.env\.[A-Z_]+ \|\| ['"], ENV\.fetch.*default:
Hardcoded credentials: password.*=.*['"][^'"]{8,}['"], api[_-]?key.*=.*['"][^'"]+['"]
Weak defaults: DEBUG.*=.*true, AUTH.*=.*false, CORS.*=.*\*
Crypto algorithms: MD5|SHA1|DES|RC4|ECB in security contexts

Tailor search approach based on discovery results.

Focus on production-reachable code, not test fixtures or example files.

2. VERIFY: Actual Behavior

For each match, trace the code path to understand runtime behavior.

Questions to answer:

When is this code executed? (Startup vs. runtime)
What happens if a configuration variable is missing?
Is there validation that enforces secure configuration?

3. CONFIRM: Production Impact

Determine if this issue reaches production:

If production config provides the variable → Lower severity (but still a code-level vulnerability) If production config missing or uses default → CRITICAL

4. REPORT: with Evidence

Example report:

Finding: Hardcoded JWT Secret Fallback
Location: src/auth/jwt.ts:15
Pattern: const secret = process.env.JWT_SECRET || 'default';

Verification: App starts without JWT_SECRET; secret used in jwt.sign() at line 42
Production Impact: Dockerfile missing JWT_SECRET
Exploitation: Attacker forges JWTs using 'default', gains unauthorized access

Quick Verification Checklist

Fallback Secrets: SECRET = env.get(X) or Y → Verify: App starts without env var? Secret used in crypto/auth? → Skip: Test fixtures, example files

Default Credentials: Hardcoded username/password pairs → Verify: Active in deployed config? No runtime override? → Skip: Disabled accounts, documentation examples

Fail-Open Security: AUTH_REQUIRED = env.get(X, 'false') → Verify: Default is insecure (false/disabled/permissive)? → Safe: App crashes or default is secure (true/enabled/restricted)

Weak Crypto: MD5/SHA1/DES/RC4/ECB in security contexts → Verify: Used for passwords, encryption, or tokens? → Skip: Checksums, non-security hashing

Permissive Access: CORS *, permissions 0777, public-by-default → Verify: Default allows unauthorized access? → Skip: Explicitly configured permissiveness with justification

Debug Features: Stack traces, introspection, verbose errors → Verify: Enabled by default? Exposed in responses? → Skip: Logging-only, not user-facing

For detailed examples and counter-examples, see examples.md.

Weekly Installs

1.1K

Repository

trailofbits/skills

GitHub Stars

3.9K

First Seen

Jan 28, 2026

Security Audits

Gen Agent Trust HubFail SocketPass SnykFail

Installed on

claude-code965

opencode904

codex884

cursor878

gemini-cli877

github-copilot864

Azure 升级评估与自动化工具 - 轻松迁移 Functions 计划、托管层级和 SKU

59,200 周安装