OWASP 2025 Audit

---
category: reference
tags: [security, owasp, audit]
last_updated: 2026-03-16
confidence: high
---

# OWASP 2025 Audit

## Executive Summary

| # | Category | Score |
|---|----------|-------|
| A01 | Broken Access Control | 6/10 |
| A02 | Cryptographic Failures | 6/10 |
| A03 | Injection | 7/10 |
| A04 | Insecure Design | 7/10 |
| A05 | Security Misconfiguration | 6/10 |
| A06 | Vulnerable and Outdated Components | 5/10 |
| A07 | Identification and Authentication Failures | 6/10 |
| A08 | Software and Data Integrity Failures | 7/10 |
| A09 | Security Logging and Monitoring Failures | 5/10 |
| A10 | Server-Side Request Forgery / Other | 6/10 |

---

## Critical/High Findings (Fixed)

These four issues are being addressed in the current sprint on `feat/consent-csrf` and `feat/wiki-slug-consent-param`.

1. **Open redirect via `return_to`** — Unvalidated redirect target after OAuth login could send users to attacker-controlled URLs. Fixed on `feat/consent-csrf`.
2. **Default Flask secret key** — Flask session signing key was not set, falling back to a hardcoded default. Fixed on `feat/consent-csrf`.
3. **Non-tenant passthrough grants full ADMIN** — A missing tenant check in the passthrough auth path allowed any authenticated user to receive ADMIN-level access. Fixed on `feat/consent-csrf`.
4. **Consent key derived from PEM header only** — The consent nonce was derived from a non-secret prefix of the PEM key, making it predictable. Fixed on `feat/consent-csrf` + `feat/wiki-slug-consent-param`.

---

## Remaining Findings (Prioritized)

### High Priority (address soon)

| Finding | OWASP Category |
|---------|---------------|
| Unpinned git deps in Ansible deploy | A03, A08 |
| No version pinning / lock files | A03 |
| No security response headers | A02 |
| No rate limiting | A06, A07 |
| Bcrypt linear scan DoS | A06, A07 |
| No security logging | A09 |

### Medium Priority

| Finding | OWASP Category |
|---------|---------------|
| Bearer token not wiki-scoped IDOR | A01 |
| `assert` used as security guards | A10 |
| `did:plc` resolution has no timeout | A07, A10 |
| Unbounded `find_orphaned_notes` fan-out | A10 |
| ATProto tokens stored plaintext | A07, A08 |
| Wiki count TOCTOU race | A06 |
| Quota cron wrong path | A06 |
| `debug=True` in `__main__` blocks | A02 |

### Low Priority

| Finding | OWASP Category |
|---------|---------------|
| Open DCR on MCP server | A06, A07 |
| DELETE excluded from quota enforcement | A01, A06 |
| `application = None` on startup failure | A10 |
| Silent `except: pass` in rollback paths | A10 |
| No upper bound on git-upload-pack body size | A10 |

---

## Methodology

10 parallel Sonnet agents were run, one per OWASP Top 10 category, auditing the `robot.wtf` and `otterwiki-mcp` repos. Findings were cross-validated — the same issues were independently flagged by multiple auditors, increasing confidence in the critical findings.