Vulnerability Patterns: Language-Specific

Detection patterns organized by programming language.

When to Use This Skill

• Language-targeted scans - When auditing specific tech stacks
• Code review - Finding vulnerabilities in PRs
• Building auditor agents - Patterns for domain auditors

When NOT to Use This Skill

• Universal patterns - Use vuln-patterns-core skill
• Full audits - Use domain auditor agents
• Remediation - Use remediation-* skills

---

JavaScript/TypeScript Patterns

Dangerous eval()

Detection Pattern:

# eval with variables
eval\s*\([^)]*[a-zA-Z_]+[^)]*\)

# Function constructor
new\s+Function\s*\([^)]*[a-zA-Z_]+

# setTimeout/setInterval with string
(setTimeout|setInterval)\s*\([^,)]*['"`]

Grep Commands:

grep -rn --include="*.{js,ts}" -E "eval\s*\(" .
grep -rn --include="*.{js,ts}" -E "new\s+Function\s*\(" .
grep -rn --include="*.{js,ts}" -E "(setTimeout|setInterval)\s*\(['\"\`]" .

Severity: Critical ASVS: V1.5.1 - Safe deserialization CWE: CWE-94 (Code Injection)

---

XSS via DOM Manipulation

Detection Pattern:

# innerHTML assignment
\.innerHTML\s*=(?!\s*['"]<[^>]+>[^<]*</[^>]+>['"])

# document.write
document\.write\s*\(

# insertAdjacentHTML
\.insertAdjacentHTML\s*\(

# React dangerouslySetInnerHTML
dangerouslySetInnerHTML

Grep Commands:

grep -rn --include="*.{js,ts,jsx,tsx}" "\.innerHTML\s*=" .
grep -rn --include="*.{js,ts,jsx,tsx}" "document\.write" .
grep -rn --include="*.{js,ts,jsx,tsx}" "dangerouslySetInnerHTML" .

Severity: High ASVS: V3.3.1 - XSS prevention CWE: CWE-79 (Cross-site Scripting)

---

Prototype Pollution

Detection Pattern:

# Direct __proto__ access
__proto__

# Object merge without validation
Object\.assign\s*\([^)]*,[^)]*\)
\.\.\.(?!props)[a-zA-Z_]+

# Bracket notation with variable
\[[a-zA-Z_]+\]\s*=

Grep Commands:

grep -rn --include="*.{js,ts}" "__proto__" .
grep -rn --include="*.{js,ts}" "constructor\s*\[" .

Severity: High ASVS: V1.5.1 - Safe deserialization CWE: CWE-1321 (Prototype Pollution)

---

Insecure Randomness

Detection Pattern:

Math\.random\s*\(\)

Context: Only flag when used for security purposes (tokens, keys, IDs)

Grep Commands:

grep -rn --include="*.{js,ts}" "Math\.random" .

Severity: Medium (context-dependent) ASVS: V11.3.1 - CSPRNG for security values CWE: CWE-330 (Insufficient Randomness)

---

Missing Security Headers (Express)

Detection Pattern:

# Express without helmet
app\s*=\s*express\s*\(\)(?!.*helmet)

Grep Commands:

grep -rn --include="*.{js,ts}" "express()" . | grep -v helmet
grep -rn --include="*.{js,ts}" "helmet" .

Severity: Medium ASVS: V3.4.1 - Security headers CWE: CWE-693 (Protection Mechanism Failure)

---

Python Patterns

Unsafe Deserialization

Detection Pattern:

# Pickle with untrusted data
pickle\.(loads?|load)\s*\(

# YAML unsafe load
yaml\.(load|unsafe_load)\s*\([^)]*(?!Loader\s*=\s*yaml\.SafeLoader)

# Marshal load
marshal\.loads?\s*\(

Grep Commands:

grep -rn --include="*.py" "pickle\.load" .
grep -rn --include="*.py" "yaml\.load" . | grep -v "SafeLoader\|safe_load"
grep -rn --include="*.py" "marshal\.load" .

Severity: Critical ASVS: V1.5.1 - Safe deserialization CWE: CWE-502 (Deserialization of Untrusted Data)

---

Weak Cryptography

Detection Pattern:

# MD5/SHA1 for security
hashlib\.(md5|sha1)\s*\(

# DES/RC4
DES\.|RC4\.|Blowfish\.

# ECB mode
\.MODE_ECB

Grep Commands:

grep -rn --include="*.py" "hashlib\.md5\|hashlib\.sha1" .
grep -rn --include="*.py" "MODE_ECB" .
grep -rn --include="*.py" -E "DES\.|RC4\." .

Severity: High ASVS: V11.5.2 - No MD5/SHA1 CWE: CWE-327 (Broken Crypto Algorithm)

---

Insecure Random

Detection Pattern:

# random module for security
random\.(choice|randint|random|randrange|sample)\s*\(

Context: Flag when used for tokens, keys, session IDs

Grep Commands:

grep -rn --include="*.py" -E "random\.(choice|randint|random|randrange)" . | grep -i "token\|key\|session\|secret\|password"

Severity: High ASVS: V11.3.1 - CSPRNG CWE: CWE-338 (Weak PRNG)

---

Hardcoded Flask Secret Key

Detection Pattern:

SECRET_KEY\s*=\s*['"][^'"]+['"]
app\.secret_key\s*=\s*['"][^'"]+['"]

Grep Commands:

grep -rn --include="*.py" "SECRET_KEY\s*=\s*['\"]" .
grep -rn --include="*.py" "secret_key\s*=\s*['\"]" .

Severity: High ASVS: V13.3.1 - Secrets management CWE: CWE-798 (Hardcoded Credentials)

---

Debug Mode in Production

Detection Pattern:

DEBUG\s*=\s*True
app\.run\s*\([^)]*debug\s*=\s*True
FLASK_DEBUG\s*=\s*['"]?1

Grep Commands:

grep -rn --include="*.py" "DEBUG\s*=\s*True" .
grep -rn --include="*.py" "debug\s*=\s*True" .

Severity: High ASVS: V13.2.1 - Debug disabled in production CWE: CWE-489 (Active Debug Code)

---

TLS Verification Disabled

Detection Pattern:

verify\s*=\s*False
REQUESTS_CA_BUNDLE\s*=\s*['"]?$
urllib3\.disable_warnings

Grep Commands:

grep -rn --include="*.py" "verify\s*=\s*False" .
grep -rn --include="*.py" "disable_warnings" .

Severity: High ASVS: V12.3.1 - Certificate validation CWE: CWE-295 (Improper Certificate Validation)

---

Go Patterns

SQL Injection

Detection Pattern:

# fmt.Sprintf in queries
fmt\.Sprintf\s*\([^)]*SELECT
db\.(Query|Exec)\s*\([^)]*\+

# String concatenation
"SELECT.*"\s*\+

Grep Commands:

grep -rn --include="*.go" -E "fmt\.Sprintf.*SELECT|fmt\.Sprintf.*INSERT" .
grep -rn --include="*.go" -E "db\.(Query|Exec)\s*\(.*\+" .

Severity: Critical ASVS: V1.2.1 - Parameterized queries CWE: CWE-89 (SQL Injection)

---

Weak Cryptography

Detection Pattern:

crypto/md5
crypto/sha1
crypto/des
crypto/rc4

Grep Commands:

grep -rn --include="*.go" "crypto/md5\|crypto/sha1\|crypto/des\|crypto/rc4" .

Severity: High ASVS: V11.5.2 - No deprecated algorithms CWE: CWE-327 (Broken Crypto)

---

Insecure TLS Config

Detection Pattern:

InsecureSkipVerify\s*:\s*true
MinVersion\s*:\s*tls\.VersionSSL
MinVersion\s*:\s*tls\.VersionTLS10

Grep Commands:

grep -rn --include="*.go" "InsecureSkipVerify.*true" .
grep -rn --include="*.go" "MinVersion.*SSL\|MinVersion.*TLS10\|MinVersion.*TLS11" .

Severity: High ASVS: V12.2.1 - TLS 1.2+ CWE: CWE-295 (Certificate Validation)

---

Java Patterns

SQL Injection

Detection Pattern:

# String concatenation
Statement\s+\w+\s*=.*createStatement
executeQuery\s*\([^?]*\+
"SELECT.*"\s*\+

# PreparedStatement misuse
prepareStatement\s*\([^?]*\+

Grep Commands:

grep -rn --include="*.java" "createStatement" .
grep -rn --include="*.java" -E "executeQuery\s*\(.*\+" .
grep -rn --include="*.java" -E "\"SELECT.*\"\s*\+" .

Severity: Critical ASVS: V1.2.1 - Parameterized queries CWE: CWE-89 (SQL Injection)

---

Unsafe Deserialization

Detection Pattern:

ObjectInputStream
readObject\s*\(\)
XMLDecoder
XStream(?!.*allowTypes)

Grep Commands:

grep -rn --include="*.java" "ObjectInputStream\|readObject()" .
grep -rn --include="*.java" "XMLDecoder" .

Severity: Critical ASVS: V1.5.1 - Safe deserialization CWE: CWE-502 (Deserialization)

---

XXE Vulnerability

Detection Pattern:

DocumentBuilderFactory(?!.*setFeature.*FEATURE_SECURE)
SAXParserFactory(?!.*setFeature)
XMLInputFactory(?!.*setProperty.*SUPPORT_DTD)

Grep Commands:

grep -rn --include="*.java" "DocumentBuilderFactory\|SAXParserFactory\|XMLInputFactory" .

Severity: High ASVS: V1.5.1 - XML processing CWE: CWE-611 (XXE)

---

Weak Cryptography

Detection Pattern:

MessageDigest\.getInstance\s*\(\s*["']MD5
MessageDigest\.getInstance\s*\(\s*["']SHA-?1
Cipher\.getInstance\s*\(\s*["']DES
Cipher\.getInstance\s*\(\s*["'].*ECB

Grep Commands:

grep -rn --include="*.java" -E "MessageDigest\.getInstance.*MD5|MessageDigest\.getInstance.*SHA.?1" .
grep -rn --include="*.java" "Cipher\.getInstance.*DES\|Cipher\.getInstance.*ECB" .

Severity: High ASVS: V11.5.2 - Secure algorithms CWE: CWE-327 (Broken Crypto)

---

Ruby Patterns

Command Injection

Detection Pattern:

`[^`]*#{
system\s*\([^)]*#{
exec\s*\([^)]*#{
%x\{[^}]*#{

Grep Commands:

grep -rn --include="*.rb" -E "\`.*#\{" .
grep -rn --include="*.rb" -E "system\s*\(.*#\{" .
grep -rn --include="*.rb" "%x{" .

Severity: Critical ASVS: V1.2.3 - Command injection CWE: CWE-78 (OS Command Injection)

---

SQL Injection (Rails)

Detection Pattern:

\.where\s*\([^)]*#{
\.find_by_sql\s*\([^)]*#{
\.execute\s*\([^)]*#{
\.order\s*\([^)]*#{

Grep Commands:

grep -rn --include="*.rb" -E "\.where\s*\(.*#\{" .
grep -rn --include="*.rb" "find_by_sql" .

Severity: Critical ASVS: V1.2.1 - Parameterized queries CWE: CWE-89 (SQL Injection)

---

Mass Assignment

Detection Pattern:

attr_accessible\s*:
params\.permit!
\.update_attributes?\s*\(params

Grep Commands:

grep -rn --include="*.rb" "params\.permit!" .
grep -rn --include="*.rb" "update_attributes.*params" .

Severity: High ASVS: V2.2.1 - Input validation CWE: CWE-915 (Mass Assignment)

---

PHP Patterns

SQL Injection

Detection Pattern:

mysql_query\s*\(
mysqli_query\s*\([^,]+,\s*["'][^?]
\$_(?:GET|POST|REQUEST)\s*\[.*\]\s*\.

Grep Commands:

grep -rn --include="*.php" "mysql_query\|mysqli_query" .
grep -rn --include="*.php" '\$_(GET|POST|REQUEST).*\.' .

Severity: Critical ASVS: V1.2.1 - Parameterized queries CWE: CWE-89 (SQL Injection)

---

Command Injection

Detection Pattern:

(system|exec|shell_exec|passthru|popen|proc_open)\s*\(\s*\$
`\$

Grep Commands:

grep -rn --include="*.php" -E "(system|exec|shell_exec|passthru)\s*\(\s*\\\$" .

Severity: Critical ASVS: V1.2.3 - Command injection CWE: CWE-78 (OS Command Injection)

---

Unsafe Deserialization

Detection Pattern:

unserialize\s*\(\s*\$

Grep Commands:

grep -rn --include="*.php" "unserialize\s*(\s*\$" .

Severity: Critical ASVS: V1.5.1 - Safe deserialization CWE: CWE-502 (Deserialization)

---

File Inclusion

Detection Pattern:

(include|require|include_once|require_once)\s*\(\s*\$

Grep Commands:

grep -rn --include="*.php" -E "(include|require)(_once)?\s*\(\s*\\\$" .

Severity: Critical ASVS: V5.3.1 - File security CWE: CWE-98 (File Inclusion)

---

Quick Reference by Language

Language	Critical Issues	High Issues
JS/TS	eval(), XSS	Prototype pollution
Python	pickle, yaml.load	MD5/SHA1, random
Go	fmt.Sprintf SQL	InsecureSkipVerify
Java	ObjectInputStream, SQL	XXE, MD5/SHA1
Ruby	backticks, SQL	Mass assignment
PHP	unserialize, include	mysql_query

See Also

• vuln-patterns-core - Universal patterns
• remediation-injection - Injection fixes
• remediation-crypto - Crypto fixes