Agent-Skills.md

Agent Skills: OWASP Top 10 Security Vulnerabilities

OWASP Top 10 security vulnerabilities with detection and remediation patterns. Use when conducting security audits, implementing secure coding practices, or reviewing code for common security vulnerabilities.

UncategorizedID: NickCrew/claude-ctx-plugin/owasp-top-10

Repository

NickCrew/claude-ctx-plugin
NickCrewLicense: MIT
52

Skill Files

Browse the full folder contents for owasp-top-10.

Download Skill

Loading file tree…

skills/owasp-top-10/SKILL.md

Skill Metadata

Name
owasp-top-10
Description
OWASP Top 10 security vulnerabilities with detection and remediation patterns. Use when conducting security audits, implementing secure coding practices, or reviewing code for common security vulnerabilities.

OWASP Top 10 Security Vulnerabilities

Expert guidance for identifying, preventing, and remediating the most critical web application security risks based on OWASP Top 10 2021.

When to Use This Skill

  • Conducting security audits and code reviews
  • Implementing secure coding practices in new features
  • Reviewing authentication and authorization systems
  • Assessing input validation and sanitization
  • Evaluating third-party dependencies for vulnerabilities
  • Designing security controls and defense-in-depth strategies
  • Preparing for security certifications or compliance audits
  • Investigating security incidents or suspicious behavior

OWASP Top 10 2021 Overview

Ranked by Risk Severity:

  1. A01 - Broken Access Control (↑ from #5)
  2. A02 - Cryptographic Failures (formerly Sensitive Data Exposure)
  3. A03 - Injection (↓ from #1)
  4. A04 - Insecure Design (NEW)
  5. A05 - Security Misconfiguration
  6. A06 - Vulnerable and Outdated Components
  7. A07 - Identification and Authentication Failures
  8. A08 - Software and Data Integrity Failures (NEW)
  9. A09 - Security Logging and Monitoring Failures
  10. A10 - Server-Side Request Forgery (SSRF) (NEW)

Quick Reference

Load detailed guidance for each vulnerability:

| Vulnerability | Reference File | |---|---| | Broken Access Control | skills/owasp-top-10/references/broken-access-control.md | | Cryptographic Failures | skills/owasp-top-10/references/cryptographic-failures.md | | Injection | skills/owasp-top-10/references/injection.md | | Insecure Design | skills/owasp-top-10/references/insecure-design.md | | Security Misconfiguration | skills/owasp-top-10/references/security-misconfiguration.md | | Vulnerable Components | skills/owasp-top-10/references/vulnerable-components.md | | Authentication Failures | skills/owasp-top-10/references/authentication-failures.md | | Integrity Failures | skills/owasp-top-10/references/integrity-failures.md | | Logging & Monitoring | skills/owasp-top-10/references/logging-monitoring.md | | SSRF | skills/owasp-top-10/references/ssrf.md | | Prevention Strategies | skills/owasp-top-10/references/prevention-strategies.md |

Security Audit Workflow

  1. Identify Scope: Determine application components and attack surface
  2. Select Vulnerabilities: Choose relevant OWASP categories based on features
  3. Load Reference: Read appropriate reference file(s) for detailed patterns
  4. Analyze Code: Review code against vulnerable and secure patterns
  5. Document Findings: Record vulnerabilities with severity and remediation
  6. Verify Fixes: Test that remediations properly address issues
  7. Test Security: Run automated security testing (SAST, DAST, SCA)

Core Security Principles

Defense in Depth

  • Layer security controls at network, application, data, and monitoring levels
  • Ensure failure of one control doesn't compromise entire system

Secure by Default

  • Deny all access by default, explicitly grant permissions
  • Fail securely (errors don't expose sensitive information)
  • Minimize attack surface (disable unused features)
  • Apply least privilege to all accounts and services

Input Validation

  • Validate type, length, format, and allowed values
  • Use allow-lists over deny-lists
  • Sanitize for specific context (SQL, HTML, shell, etc.)
  • Never trust client input

Common Mistakes

  1. Trusting User Input: Always validate and sanitize all user-supplied data
  2. Rolling Your Own Crypto: Use established libraries (bcrypt, AES-256)
  3. Exposing Errors: Log detailed errors internally, show generic messages to users
  4. Missing Authorization: Check permissions on every request, not just UI
  5. Weak Session Management: Use secure, httpOnly, sameSite cookies with HTTPS
  6. Ignoring Dependencies: Regularly audit and update third-party libraries
  7. No Logging: Log security events for detection and incident response
  8. Default Configurations: Harden all systems, disable defaults

Security Testing Tools

SAST (Static): SonarQube, Semgrep, ESLint security plugins DAST (Dynamic): OWASP ZAP, Burp Suite SCA (Dependencies): npm audit, Snyk, Dependabot Secrets Scanning: GitGuardian, TruffleHog Penetration Testing: Metasploit, Kali Linux tools

Resources

  • OWASP Top 10 2021: https://owasp.org/Top10/
  • OWASP Cheat Sheets: https://cheatsheetseries.owasp.org/
  • OWASP ASVS: Application Security Verification Standard
  • CWE Top 25: Common Weakness Enumeration
  • NIST Cybersecurity Framework: https://www.nist.gov/cyberframework
  • CVE Database: https://cve.mitre.org/
  • Snyk Vulnerability DB: https://snyk.io/vuln/