Config Files Insecure Cookieless Configuration
Description
A path-based vulnerability detector that uses pattern matching to identify dangerous configurations and insecure settings in files. The detector searches through configuration files and source code to find potentially unsafe patterns that could lead to security issues.
Detection Strategy
• Review configuration files and source code for matches against known vulnerable patterns
• Check specific file paths and content using regular expressions to identify insecure settings
• Flag matches when finding patterns indicating debug mode enabled, weak security configurations, or exposed sensitive information
• Validate file contents against security best practices and flag deviations from secure configurations
Vulnerable code example
server {
listen 443 ssl;
server_name example.com;
# Vulnerable: Allows weak/outdated SSL protocols
ssl_protocols SSLv3 TLSv1 TLSv1.1;
# Vulnerable: Uses weak ciphers including some NULL ciphers...✅ Secure code example
server {
listen 443 ssl;
server_name example.com;
# Only allow TLS 1.2 and 1.3 - older versions have known vulnerabilities
ssl_protocols TLSv1.2 TLSv1.3;
# Strong cipher suite with perfect forward secrecy (PFS)...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.