Compétences web-security-testing

🛡️

web-security-testing

Name: web-security-testing
Author: sickn33

Sûr

Test Web Apps for OWASP Top 10 Vulnerabilities

This workflow guides you through comprehensive security testing of web applications following the OWASP Top 10 methodology, from reconnaissance to reporting.

Prend en charge: Claude Codex Code(CC)

📊 71 Adéquat

Télécharger le ZIP du skill

Importer dans Claude

Allez dans Paramètres → Capacités → Skills → Importer un skill

Activez et commencez à utiliser

Tester

Utilisation de "web-security-testing". Use @web-security-testing to test my web application at https://example.com

Résultat attendu:

Starting Phase 1: Reconnaissance
- Mapping application surface
- Identifying technologies used
- Discovering endpoints
- Finding subdomains
- Documenting initial findings
Ready to proceed to Phase 2: Injection Testing

Utilisation de "web-security-testing". We are in Phase 3 of @web-security-testing. Test for XSS in the search feature.

Résultat attendu:

Phase 3: XSS Testing
Testing vectors: reflected, stored, DOM-based
Test cases to execute:
- <script>alert(1)</script>
- <img src=x onerror=alert(1)>
- <svg onload=alert(1)>
Document all successful bypasses with proof of concept

Audit de sécurité

Sûr

v1 • 2/25/2026

Static analysis flagged 33 potential issues (31 external_commands, 2 weak cryptographic algorithms). After evaluation, all findings are FALSE POSITIVES. The external_commands detections are markdown code formatting (backticks) used for skill references like @scanning-tools, not actual shell execution. The cryptographic flags are false positives from keywords in the OWASP checklist. This is a legitimate security testing workflow with no malicious code.

Fichiers analysés

185

Lignes analysées

résultats

Total des audits

Problèmes à risque élevé (1)

SKILL.md:3 SKILL.md:164

Weak Cryptographic Algorithm Detection

Scanner flagged lines 3 and 164 for weak cryptographic algorithm. Line 3 is YAML frontmatter description. Line 164 is OWASP category 'A04: Insecure Design'. No cryptographic code present.

Problèmes à risque moyen (1)

SKILL.md:31-32 SKILL.md:42-44 SKILL.md:49-50 SKILL.md:60-66 SKILL.md:71-72 SKILL.md:82-84 SKILL.md:89-101 SKILL.md:106-107 SKILL.md:117-123 SKILL.md:128-140 SKILL.md:145-157 SKILL.md:182-183

External Commands Detection

Scanner flagged 31 instances of 'Ruby/shell backtick execution' at various lines. These are markdown inline code formatting (backticks) used for skill references like `@scanning-tools`, not shell commands.

Audité par: claude

Score de qualité

Architecture

100

Maintenabilité

Contenu

Communauté

Sécurité

Conformité aux spécifications

Ce que vous pouvez construire

Comprehensive Security Assessment

Conduct a full security audit of a web application following structured OWASP Top 10 methodology with detailed phase-by-phase testing.

Bug Bounty Reconnaissance

Use the workflow for bug bounty hunting to systematically test target applications for vulnerabilities in a structured manner.

Security Validation

Validate that security controls are properly implemented in a web application before production deployment.

Essayez ces prompts

Start Security Test

Use @web-security-testing to test my web application for security vulnerabilities. Target: [URL]

Test for Injection

We are in Phase 2 of @web-security-testing. Test for SQL injection on the login form at [URL] with parameter [param]

XSS Assessment

Following Phase 3 of @web-security-testing, test for XSS vulnerabilities in the comment section at [URL]

Complete Security Report

We have completed all phases of @web-security-testing. Generate a security report summarizing findings and remediation steps.

Bonnes pratiques

Always obtain proper authorization before testing any application
Follow the workflow phases in order for comprehensive coverage
Document all findings with proof of concept for each vulnerability
Invoke referenced skills for specialized testing in each phase

Éviter

Skipping phases - each phase builds on previous reconnaissance
Testing in production without authorization
Not documenting findings with reproduction steps
Ignoring low-severity findings without proper risk assessment

Foire aux questions

Does this skill execute actual exploits?

No. This is a workflow guidance skill that provides testing methodology and prompts. It does not execute exploits or run tools directly.

Do I need other skills to use this workflow?

Yes. This workflow references other skills like @scanning-tools, @sql-injection-testing, @xss-html-injection, and @broken-authentication for specific testing phases.

Is this suitable for production testing?

Only with proper written authorization. Always ensure you have explicit permission before testing any web application.

What OWASP categories are covered?

All OWASP Top 10 2021 categories are covered including injection, broken authentication, sensitive data exposure, XML external entities, broken access control, security misconfiguration, cross-site scripting, insecure deserialization, using vulnerable components, and insufficient logging.

Can I customize this workflow?

Yes. The workflow phases can be adapted based on your target application and scope. Add or modify phases as needed for your assessment.

What output format should I use for reports?

Follow the reporting phase guidance to document vulnerabilities with severity, proof of concept, and remediation steps. Use industry standard formats.

Détails du développeur

Auteur

sickn33

Licence

MIT

Dépôt

https://github.com/sickn33/antigravity-awesome-skills/tree/main/skills/web-security-testing

Réf

main

Structure de fichiers

📄 SKILL.md