// Investigate browser security vulnerabilities including CORS misconfiguration, CSRF, clickjacking, and cookie security. Use when threat model identifies CWE-346 (Origin Validation), CWE-942 (Permissive CORS), CWE-352 (CSRF), CWE-1021 (Clickjacking), or browser security concerns.
| name | sast-browser-security-testing |
| description | Investigate browser security vulnerabilities including CORS misconfiguration, CSRF, clickjacking, and cookie security. Use when threat model identifies CWE-346 (Origin Validation), CWE-942 (Permissive CORS), CWE-352 (CSRF), CWE-1021 (Clickjacking), or browser security concerns. |
| allowed-tools | Read, Grep, Glob |
Investigate browser-enforced security mechanisms by analyzing:
Before flagging CORS/CSRF vulnerabilities, ALWAYS determine the authentication type first.
| Auth Type | How to Detect | CORS Risk | CSRF Risk |
|---|---|---|---|
| Cookies only | Set-Cookie, res.cookie(), httpOnly, session middleware | HIGH if credentials: true | HIGH |
| Headers + localStorage | localStorage.setItem, Authorization: Bearer, NO withCredentials | LOW | LOW |
| Mixed (both) | Both cookie and header patterns present | MEDIUM | MEDIUM |
Step 1: Check Backend for Cookie Usage
Patterns: Set-Cookie, res.cookie(, setCookie(
session[, req.session, session.
httpOnly, secure: true, sameSite
Step 2: Check Frontend for Credential Handling
Patterns: withCredentials: true, credentials: 'include'
credentials: 'same-origin'
localStorage.setItem, localStorage.getItem
sessionStorage.setItem
Authorization: Bearer, setRequestHeader
Step 3: Determine Risk Level
withCredentials → CORS/CSRF risk is LOWCORS policy allows untrusted origins to read responses.
Dangerous Patterns:
// Reflects any origin - DANGEROUS
app.use(cors({ origin: true, credentials: true }));
// Wildcard with credentials - INVALID but attempted
app.use(cors({ origin: '*', credentials: true }));
// Regex too permissive
origin: /\.example\.com$/ // Allows attacker-example.com
Safe Patterns:
// Explicit allowlist
app.use(cors({
origin: ['https://app.example.com', 'https://admin.example.com'],
credentials: true
}));
// Dynamic with validation
origin: (origin, callback) => {
if (ALLOWED_ORIGINS.includes(origin)) {
callback(null, true);
} else {
callback(new Error('Not allowed'));
}
}
Investigation Questions:
credentials: true enabled?State-changing operations vulnerable to forged cross-origin requests.
CSRF requires ALL of:
Dangerous Patterns:
# State-changing endpoint with cookie auth, no CSRF token
@app.route('/api/transfer', methods=['POST'])
@login_required # Uses session cookies
def transfer_funds():
amount = request.json['amount']
# No CSRF token check!
execute_transfer(amount)
Safe Patterns:
# CSRF token validation
@app.route('/api/transfer', methods=['POST'])
@login_required
@csrf.exempt # Only if intentional API endpoint with header auth
def transfer_funds():
validate_csrf_token(request.headers.get('X-CSRF-Token'))
# OR using SameSite=Strict cookies
CSRF is NOT a risk when:
Page can be embedded in attacker's iframe for UI redressing.
Dangerous Patterns:
# No framing protection
@app.route('/sensitive-action')
def sensitive_page():
return render_template('action.html')
# Missing X-Frame-Options or CSP frame-ancestors
Safe Patterns:
# X-Frame-Options header
response.headers['X-Frame-Options'] = 'DENY'
# OR
response.headers['X-Frame-Options'] = 'SAMEORIGIN'
# CSP frame-ancestors (preferred)
response.headers['Content-Security-Policy'] = "frame-ancestors 'none'"
Authentication cookies missing security attributes.
Dangerous Patterns:
// Missing Secure flag (sent over HTTP)
res.cookie('session', token);
// Missing HttpOnly (accessible via JavaScript/XSS)
res.cookie('session', token, { secure: true });
// Missing SameSite (CSRF vulnerable)
res.cookie('session', token, { secure: true, httpOnly: true });
Safe Patterns:
res.cookie('session', token, {
secure: true, // HTTPS only
httpOnly: true, // Not accessible via JS
sameSite: 'strict' // Not sent cross-origin
});
Search backend for: Set-Cookie, res.cookie, session
Search frontend for: withCredentials, credentials:, localStorage
If header-based only (localStorage + Authorization): Most browser attacks are LOW risk
Patterns: cors(, Access-Control-Allow-Origin
origin:, credentials:
add_header Access-Control
Patterns: POST, PUT, DELETE, PATCH
@csrf_exempt, csrf_token
transfer, update, delete, create
Patterns: X-Frame-Options, frame-ancestors
Content-Security-Policy, CSP
Strict-Transport-Security
Patterns: Set-Cookie, res.cookie(
httpOnly, secure, sameSite
session.cookie, cookie_params
Use github_org_code_search to find:
TRUE_POSITIVE:
origin: true) with cookie-based authFALSE_POSITIVE:
UNVALIDATED:
### Verdict
- **verdict**: TRUE_POSITIVE or FALSE_POSITIVE
- **confidence_score**: 1-10
- **risk_level**: LOW, MEDIUM, HIGH, or CRITICAL
### Authentication Mechanism
- **Type**: Cookie-based / Header-based / Mixed
- **Evidence**: [How auth works in this app]
- **CORS/CSRF Baseline Risk**: HIGH / MEDIUM / LOW
### Evidence
- **Location**: file:line
- **Issue**: Description of the browser security weakness
- **Code**: Relevant code snippet
### Attack Scenario
How an attacker could exploit this:
1. [Steps to reproduce]
### Recommendations
- [Specific fix with code example]
This skill may need information from:
When authentication mechanism is unclear, invoke sast-authentication-testing first.
Investigate authentication vulnerabilities in source code including missing authentication, weak authentication, and session management issues. Use when threat model identifies CWE-287 (Improper Authentication), CWE-384 (Session Fixation), CWE-306 (Missing Authentication), or authentication concerns.
Investigate authorization vulnerabilities in source code including IDOR, privilege escalation, and missing access controls. Use when threat model identifies CWE-639 (IDOR), CWE-862 (Missing Authorization), CWE-863 (Incorrect Authorization), CWE-269 (Privilege Escalation), or access control concerns.
Investigate cryptographic vulnerabilities in source code including weak algorithms, hardcoded secrets, and improper key management. Use when threat model identifies CWE-327 (Use of Broken Crypto), CWE-798 (Hardcoded Credentials), CWE-326 (Inadequate Encryption), or cryptography concerns.
Investigate data exposure vulnerabilities in source code including PII leakage, sensitive data logging, and information disclosure. Use when threat model identifies CWE-200 (Information Exposure), CWE-532 (Sensitive Data in Logs), CWE-359 (Privacy Violation), or data exposure concerns.
Investigate insecure deserialization vulnerabilities that can lead to RCE or data manipulation. Use when threat model identifies CWE-502 (Deserialization of Untrusted Data), CWE-915 (Mass Assignment), or object deserialization concerns.
Investigate file operation vulnerabilities including unrestricted file upload, path traversal in file operations, and insecure file handling. Use when threat model identifies CWE-434 (Unrestricted Upload), CWE-73 (External Control of File Path), CWE-427 (Uncontrolled Search Path), or file security concerns.