Security Audit (Comprehensive)
**Single source of truth for ALL security checks.** Output to `.claude/audits/AUDIT_SECURITY.md`.
Overview
Security Audit (Comprehensive)
Single source of truth for ALL security checks. Output to .claude/audits/AUDIT_SECURITY.md.
Status Block (Required)
Every output MUST start with:
---
agent: security-auditor
status: COMPLETE | PARTIAL | SKIPPED | ERROR
timestamp: [ISO timestamp]
duration: [seconds]
findings: [count]
critical_count: [count]
high_count: [count]
errors: []
skipped_checks: []
---
Scope (SINGLE AUTHORITY)
security-auditor is the ONLY agent that checks:
- Injection attacks (SQL, NoSQL, Command, XSS, LDAP)
- Authentication & session management
- Authorization & access control
- Secrets & credential exposure
- Security headers & configuration
- CSRF protection
- Rate limiting
- Data exposure risks
Other agents do NOT check security:
- bug-auditor: Runtime bugs only (not security)
- code-auditor: Code quality only (not security)
1. Injection Attacks
SQL Injection
# Raw queries with string interpolation
grep -rn "\\$queryRaw\\|\\$executeRaw" src --include="*.ts" | head -10
grep -rn "query\\s*(" src --include="*.ts" | grep -v "prisma\\." | head -10
grep -rn '`.*\\$\\{.*\\}.*`' src --include="*.ts" | grep -i "select\\|insert\\|update\\|delete" | head -10
NoSQL Injection
# MongoDB query manipulation
grep -rn "\\.find\\s*(\\s*{" src --include="*.ts" | head -10
grep -rn "\\$where\\|\\$regex" src --include="*.ts" | head -5
Command Injection
# Shell command execution
grep -rn "exec\\|spawn\\|execSync" src --include="*.ts" | head -10
grep -rn "child_process" src --include="*.ts" | head -5
XSS (Cross-Site Scripting)
# Dangerous HTML rendering
grep -rn "dangerouslySetInnerHTML\\|innerHTML\\|outerHTML" src --include="*.tsx" --include="*.ts" | head -10
# Unsanitized output
grep -rn "\\.html\\s*(" src --include="*.ts" | head -5
2. Authentication & Session
# Unprotected API routes (no auth check)
grep -rn "export.*GET\\|export.*POST" src/app/api --include="*.ts" | head -20
# Check for auth in routes
for file in $(find src/app/api -name "route.ts" 2>/dev/null); do
grep -L "getServerSession\\|auth\\|verify\\|middleware" "$file" 2>/dev/null
done | head -10
# Password handling
grep -rn "password" src --include="*.ts" | grep -v "hash\\|bcrypt\\|argon" | head -10
# Session configuration
grep -rn "maxAge\\|expires\\|secure\\|httpOnly" src --include="*.ts" | head -10
3. Authorization
# Direct object references without validation
grep -rn "params\\.\\|params\\[" src/app/api --include="*.ts" | head -10
# Missing ownership checks
grep -rn "findUnique\\|findFirst" src --include="*.ts" | grep -v "where.*userId\\|where.*ownerId" | head -10
# Role checks
grep -rn "role\\|admin\\|isAdmin" src --include="*.ts" | head -10
4. Secrets & Configuration
# Hardcoded secrets
grep -rn "sk_live\\|sk_test\\|api_key\\|apikey\\|secret" src --include="*.ts" | grep -v "process.env\\|import" | head -10
# Secrets in client code
grep -rn "process.env\\." src --include="*.tsx" | grep -v "NEXT_PUBLIC" | head -10
# .env files in git
ls -la .env .env.local .env.production 2>/dev/null
# Check for example env
diff .env.example .env 2>/dev/null | head -20
5. Security Headers & CORS
# Missing security headers in next.config
grep -rn "headers\\|contentSecurityPolicy\\|strictTransportSecurity" next.config.* 2>/dev/null | head -10
# CORS configuration
grep -rn "Access-Control\\|cors" src --include="*.ts" | head -10
# Cookie settings
grep -rn "cookie\\|setCookie" src --include="*.ts" | grep -v "httpOnly\\|secure\\|sameSite" | head -10
6. CSRF & Rate Limiting
# CSRF tokens
grep -rn "csrf\\|csrfToken\\|_token" src --include="*.ts" | head -10
# Rate limiting
grep -rn "rateLimit\\|rate-limit\\|limiter\\|throttle" src --include="*.ts" | head -5
# Auth endpoint protection
grep -rn "login\\|signin\\|signup\\|register" src/app/api --include="*.ts" | head -10
7. Data Exposure
# Sensitive data in responses
grep -rn "password\\|secret\\|token\\|apiKey" src --include="*.ts" | grep "return\\|Response\\|json" | head -10
# Stack traces in production
grep -rn "stack\\|stackTrace" src --include="*.ts" | head -5
# PII logging
grep -rn "console.log\\|logger" src --include="*.ts" | grep -i "email\\|password\\|ssn\\|credit" | head -10
8. Dependency Vulnerabilities
# Run audit
npm audit 2>/dev/null | head -50 || pnpm audit 2>/dev/null | head -50 || yarn audit 2>/dev/null | head -50
Output
# Security Audit
---
agent: security-auditor
status: [COMPLETE|PARTIAL|SKIPPED]
timestamp: [ISO timestamp]
duration: [X seconds]
findings: [X]
critical_count: [X]
high_count: [X]
errors: [list any errors]
skipped_checks: [list checks that couldn't run]
---
## Risk Summary
| Category | Critical | High | Medium | Low |
|----------|----------|------|--------|-----|
| Injection | X | X | X | X |
| Auth | X | X | X | X |
| Secrets | X | X | X | X |
| Headers | X | X | X | X |
| Data | X | X | X | X |
**Total:** X Critical, X High, X Medium, X Low
## Critical Findings
### SEC-001: SQL Injection in User Search
**CVSS Score:** 9.8 (Critical)
**Location:** `src/api/users.ts:47`
**Attack Vector:**
POST /api/users?search=' OR '1'='1
**Impact:** Full database access
**Remediation:**
```typescript
// Use parameterized queries
prisma.user.findMany({ where: { name: { contains: search } } })
SEC-002: Hardcoded API Key
CVSS Score: 9.1 (Critical)
Location: src/lib/stripe.ts:5
Issue: Production API key in source code
const stripe = new Stripe('sk_live_xxxxx'); // EXPOSED!
Remediation:
const stripe = new Stripe(process.env.STRIPE_SECRET_KEY!);
SEC-003: SSRF Vulnerability
CVSS Score: 8.6 (Critical)
Location: src/app/api/fetch/route.ts:12
Issue: User-controlled URL in fetch
const response = await fetch(req.query.url); // SSRF!
Remediation: Validate URL against allowlist
High
SEC-004: Missing Rate Limiting on Login
CVSS Score: 7.5 (High)
Location: src/app/api/auth/login/route.ts
Attack Vector: Brute force password attempts
Impact: Account takeover via credential stuffing
Remediation: Add rate limiting middleware (5 attempts/minute)
SEC-005: Missing Security Headers
CVSS Score: 7.1 (High)
Location: next.config.ts
Missing:
- Content-Security-Policy
- X-Frame-Options
- X-Content-Type-Options
- Strict-Transport-Security Remediation:
// next.config.ts
headers: () => [
{
source: '/:path*',
headers: [
{ key: 'X-Frame-Options', value: 'DENY' },
{ key: 'X-Content-Type-Options', value: 'nosniff' },
{ key: 'Strict-Transport-Security', value: 'max-age=31536000' },
],
},
],
SEC-006: XSS via dangerouslySetInnerHTML
CVSS Score: 6.1 (High)
Location: src/components/Comment.tsx:23
Issue: User content rendered without sanitization
<div dangerouslySetInnerHTML={{ __html: comment.body }} />
Remediation:
<div dangerouslySetInnerHTML={{ __html: DOMPurify.sanitize(comment.body) }} />
Medium
SEC-007: Session Token in URL
CVSS Score: 5.3 (Medium)
Location: src/pages/verify.tsx:8
Attack Vector: Token visible in browser history, referrer headers
Impact: Session hijacking
Remediation: Use POST body or HTTP-only cookies for tokens
SEC-008: Missing CSRF Protection
CVSS Score: 4.3 (Medium)
Location: src/app/api/settings/route.ts
Attack Vector: Forged requests from malicious sites
Impact: Unauthorized settings changes
Remediation: Add CSRF tokens to forms
SEC-009: Verbose Error Messages
CVSS Score: 5.3 (Medium)
Location: src/app/api/middleware/error.ts:15
Issue: Error responses include internal paths and stack traces
Remediation: Return generic messages in production
Low
SEC-010: Debug Endpoints Enabled
Location: src/app/api/debug/route.ts
Issue: Debug endpoint accessible in production
Remediation: Remove or protect with auth
Dependency Vulnerabilities
npm audit output here
Checklist
Must Fix (Before Deploy)
- Remove hardcoded credentials
- Add authentication to admin routes
- Sanitize user input for XSS
- Use parameterized queries
- Add rate limiting to auth endpoints
Should Fix (High Priority)
- Add security headers
- Implement CSRF protection
- Add audit logging
- Review error messages
Recommended
- Enable Dependabot
- Add security scanning to CI
- Implement CSP
- Regular penetration testing
## Execution Logging
After completing, append to `.claude/audits/EXECUTION_LOG.md`:
| [timestamp] | security-auditor | [status] | [duration] | [findings] | [errors] |
## Output Verification
Before completing:
1. Verify `.claude/audits/AUDIT_SECURITY.md` was created
2. Verify file has content beyond headers
3. If no issues found, write "No security issues detected" (not empty file)
**This agent is the SINGLE SOURCE for security findings. Other agents must NOT duplicate these checks.**