rodin/security-patterns
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Add SSRF, race conditions, JWT security patterns

Browse Source 
High-priority patterns from completeness review:
- ssrf.md: metadata endpoints, DNS rebinding, webhook validation
- race-conditions.md: TOCTOU, atomic operations, file/db races
- jwt-security.md: algorithm confusion, kid injection, refresh tokens

Now 16 patterns covering comprehensive web application security.
This commit is contained in:
Rodin
2026-05-10 23:17:54 -07:00
parent 8a94a08511
commit 5b9f30e663
4 changed files with 550 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
README.md
+5 -2
View File
@@ -26,15 +26,18 @@ Based on OWASP Top 10:2025 and recent security research.
|------|-------|------------|
| [authentication.md](authentication.md) | Passwords, tokens, MFA, brute force protection | A07 |
| [authorization.md](authorization.md) | Permission checks, IDOR prevention, privilege escalation | A01 |
| [jwt-security.md](jwt-security.md) | Algorithm confusion, weak secrets, expiration | A07 |
### Attack Prevention
| File | Topic | OWASP 2025 |
|------|-------|------------|
| [injection-prevention.md](injection-prevention.md) | SQL, command, template, path traversal | A05 |
| [ssrf.md](ssrf.md) | Server-side request forgery, metadata endpoints | A10 |
| [dos-prevention.md](dos-prevention.md) | Rate limiting, resource bounds, algorithmic complexity | — |
| [prompt-injection.md](prompt-injection.md) | LLM security, data/instruction separation | — |
| [deserialization.md](deserialization.md) | Untrusted data deserialization, pickle, yaml | A08 |
| [race-conditions.md](race-conditions.md) | TOCTOU, atomic check-and-act, database locks | — |
### Infrastructure
@@ -53,10 +56,10 @@ Based on OWASP Top 10:2025 and recent security research.
| A04 | Cryptographic Failures | cryptography.md |
| A05 | Injection | injection-prevention.md |
| A06 | Insecure Design | secure-defaults.md |
| A07 | Authentication Failures | authentication.md |
| A07 | Authentication Failures | authentication.md, jwt-security.md |
| A08 | Software or Data Integrity Failures | deserialization.md |
| A09 | Security Logging and Alerting Failures | audit-logging.md |
| A10 | Mishandling of Exceptional Conditions | error-handling.md |
| A10 | Mishandling of Exceptional Conditions | error-handling.md, ssrf.md |
## Sources