# Detection Rules - Shoulder Browse 347 security detection rules across 7 languages - Total rules: 347 - CWE coverage: 94 - Languages: javascript, typescript, python, dockerfile, go, yaml, kubernetes ## Rules ### Django Debug Mode in Production - ID: django-debug-mode-production - Severity: CRITICAL - CWE: CWE-489 (CWE-489) - Languages: Python Detects Django applications with DEBUG = True in settings. Debug mode exposes sensitive information including settings, environment variables, SQL queries, and stack traces. This must NEVER be enabled in production. ### Django Insecure SECRET_KEY - ID: django-insecure-secret-key - Severity: CRITICAL - CWE: Hardcoded Credentials (CWE-798) - Languages: Python Detects Django SECRET_KEY that is hardcoded, weak, or uses default values. The SECRET_KEY is used for cryptographic signing and must be kept secret and changed in production. ### Authentication Bypass Vulnerability - ID: python-authentication-bypass - Severity: CRITICAL - CWE: Improper Authentication (CWE-287) - Languages: Python Detects authentication checks that can be bypassed due to missing return statements or weak boolean logic. ### Client-Controlled Authorization Data - ID: python-client-controlled-authorization - Severity: CRITICAL - CWE: CWE-807 (CWE-807) - Languages: Python Detects authorization decisions based on client-controllable data such as cookies, query parameters, or form fields. ### Code Injection via eval/exec - ID: python-code-injection - Severity: CRITICAL - CWE: Code Injection (CWE-94) - Languages: Python Detects untrusted user input flowing into code evaluation functions (eval, exec, compile). ### OS Command Injection - ID: python-command-injection - Severity: CRITICAL - CWE: OS Command Injection (CWE-78) - Languages: Python Detects untrusted user input flowing into operating system command execution functions without proper sanitization. ### Dangerous Function Usage - ID: python-dangerous-functions - Severity: CRITICAL - CWE: Code Injection (CWE-94) - Languages: Python Detects usage of dangerous Python functions that can lead to arbitrary code execution: eval(), exec(), compile(), __import__() with user input, or pickle deserialization. These should be avoided or heavily restricted. ### JWT Algorithm Confusion Attack - ID: python-jwt-algorithm-confusion - Severity: CRITICAL - CWE: Improper Signature Verification (CWE-347) - Languages: Python Detects JWT tokens decoded without algorithm verification or accepting the 'none' algorithm, allowing token forgery. ### Sensitive Field Exposure in API Response - ID: python-sensitive-field-response-exposure - Severity: CRITICAL - CWE: Information Exposure (CWE-200) - Languages: Python Detects when sensitive data fields (passwords, tokens, secrets) are exposed through API endpoint responses. This commonly happens when: 1. Returning user dictionaries with sensitive fields 2. Serializing ORM objects without excluding sensitive fields 3. Including sensitive fields in JSON responses Security Impact: - Password hash exposure enabling offline cracking attacks - API key/token leakage allowing account takeover - Session token exposure enabling session hijacking - PII disclosure violating privacy regulations (GDPR, CCPA) ### SQL Injection via Database Queries - ID: python-sql-injection - Severity: CRITICAL - CWE: SQL Injection (CWE-89) - Languages: Python Detects untrusted user input flowing into SQL database queries without proper parameterization. ### Server-Side Template Injection (SSTI) - ID: python-ssti - Severity: CRITICAL - CWE: Code Injection (CWE-94) - Languages: Python Detects user input used directly in template rendering, allowing arbitrary code execution. ### Unsafe Deserialization - ID: python-unsafe-deserialization - Severity: CRITICAL - CWE: Deserialization of Untrusted Data (CWE-502) - Languages: Python Detects untrusted user input being deserialized using unsafe methods like pickle.loads() or yaml.load(). ### Credential Exfiltration via User-Controlled Endpoint - ID: python-webhook-credential-exfiltration - Severity: CRITICAL - CWE: CWE-201 (CWE-201) - Languages: Python Detects when internal credentials (API keys, secrets, tokens) are sent in HTTP requests to user-controlled endpoints. This allows attackers to exfiltrate server credentials by providing a malicious webhook URL that captures the sensitive headers or body data. Example vulnerable pattern: ```python # User controls 'endpoint' from request endpoint = request.form.get('webhook_url') # Server sends its internal API key to attacker-controlled URL requests.post(endpoint, headers={'X-API-Key': os.environ['INTERNAL_API_KEY']}) ``` This is different from standard SSRF (which accesses internal resources) - here the attacker exfiltrates server credentials to their own controlled endpoint. ### Unsafe YAML Deserialization - ID: python-yaml-deserialization - Severity: CRITICAL - CWE: Deserialization of Untrusted Data (CWE-502) - Languages: Python Detects unsafe YAML deserialization using yaml.load() without SafeLoader. ### Django Mass Assignment Vulnerability - ID: django-mass-assignment - Severity: HIGH - CWE: Mass Assignment (CWE-915) - Languages: Python Detects Django code that creates or updates models using all request data without validation. This allows attackers to set arbitrary fields including sensitive ones like is_admin, is_staff, or permissions. NOTE: This rule only flags POST/PUT/PATCH request body data (request.POST, request.data). It does NOT flag request.GET or request.query_params, as those are typically used for read-only filtering operations and cannot cause mass assignment vulnerabilities in standard Django ORM usage. ### Django View Missing Authentication - ID: django-missing-authentication - Severity: HIGH - CWE: CWE-306 (CWE-306) - Languages: Python Detects Django views that should require authentication but lack @login_required, @permission_required, or other authentication decorators. ### Django Missing CSRF Protection - ID: django-missing-csrf-protection - Severity: HIGH - CWE: Cross-Site Request Forgery (CWE-352) - Languages: Python Detects Django views that handle POST/PUT/DELETE requests without CSRF protection. CSRF tokens prevent malicious sites from performing actions on behalf of authenticated users. ### FastAPI JWT Security Issues - ID: fastapi-jwt-security - Severity: HIGH - CWE: Improper Signature Verification (CWE-347) - Languages: Python Detects JWT security issues in FastAPI applications including: - Weak or hardcoded secrets - Missing algorithm verification - Insufficient token validation - Insecure token storage patterns ### FastAPI Endpoint Missing Authentication - ID: fastapi-missing-authentication - Severity: HIGH - CWE: CWE-306 (CWE-306) - Languages: Python Detects FastAPI endpoints that perform sensitive operations without authentication via Depends() dependency injection. ### Flask Debug Mode in Production - ID: flask-debug-mode-production - Severity: HIGH - CWE: CWE-489 (CWE-489) - Languages: Python Detects Flask applications running with debug mode enabled. Debug mode exposes sensitive information, allows code execution through the interactive debugger, and should NEVER be enabled in production. ### Business Logic Bypass - ID: python-business-logic-bypass - Severity: HIGH - CWE: CWE-840 (CWE-840) - Languages: Python Detects client-controlled business-critical values (price, quantity, discount) flowing to payment or business operations without server-side validation. ### SSL/TLS Certificate Validation Disabled - ID: python-certificate-validation-bypass - Severity: HIGH - CWE: Improper Certificate Validation (CWE-295) - Languages: Python Detects disabled SSL/TLS certificate validation. Disabling certificate validation makes connections vulnerable to man-in-the-middle attacks. ### Class/Attribute Pollution - ID: python-class-pollution - Severity: HIGH - CWE: Mass Assignment (CWE-915) - Languages: Python Detects unsafe modification of class attributes or object __dict__ using user input. ### CORS Regex Bypass Vulnerability - ID: python-cors-regex-bypass - Severity: HIGH - CWE: CWE-942 (CWE-942) - Languages: Python Detects CORS implementations using weak regex patterns, prefix/suffix matching, or substring checks that can be bypassed by attackers to allow unauthorized cross-origin access from malicious domains. Common bypass patterns: 1. Unanchored regex: r"https://.*\.example\.com" matches "https://evil.com/.example.com" 2. Unescaped dots: r"https://app.trusted.com" matches "https://appXtrusted.com" 3. Prefix matching: startswith("https://trusted.com") allows "https://trusted.com.evil.com" 4. Suffix matching: endswith(".trusted.com") can be abused with subdomain takeover 5. Contains check: "trusted.com" in origin matches "nottrusted.com" ### Default Privilege Assignment in User Creation - ID: python-default-privilege-assignment - Severity: HIGH - CWE: CWE-269 (CWE-269) - Languages: Python Detects user creation flows that assign elevated privileges by default. --- Showing 25 of 97 rules (page 1/4)