Habilidades web-security-testing

🛡️

web-security-testing

Name: web-security-testing
Author: sickn33

Seguro

Test Web Apps for OWASP Top 10 Vulnerabilities

This workflow guides you through comprehensive security testing of web applications following the OWASP Top 10 methodology, from reconnaissance to reporting.

Suporta: Claude Codex Code(CC)

📊 71 Adequado

Baixar o ZIP da skill

Upload no Claude

Vá em Configurações → Capacidades → Skills → Upload skill

Ative e comece a usar

Testar

A utilizar "web-security-testing". Use @web-security-testing to test my web application at https://example.com

Resultado esperado:

Starting Phase 1: Reconnaissance
- Mapping application surface
- Identifying technologies used
- Discovering endpoints
- Finding subdomains
- Documenting initial findings
Ready to proceed to Phase 2: Injection Testing

A utilizar "web-security-testing". We are in Phase 3 of @web-security-testing. Test for XSS in the search feature.

Resultado esperado:

Phase 3: XSS Testing
Testing vectors: reflected, stored, DOM-based
Test cases to execute:
- <script>alert(1)</script>
- <img src=x onerror=alert(1)>
- <svg onload=alert(1)>
Document all successful bypasses with proof of concept

Auditoria de Segurança

Seguro

v1 • 2/25/2026

Static analysis flagged 33 potential issues (31 external_commands, 2 weak cryptographic algorithms). After evaluation, all findings are FALSE POSITIVES. The external_commands detections are markdown code formatting (backticks) used for skill references like @scanning-tools, not actual shell execution. The cryptographic flags are false positives from keywords in the OWASP checklist. This is a legitimate security testing workflow with no malicious code.

Arquivos analisados

185

Linhas analisadas

achados

Total de auditorias

Problemas de Alto Risco (1)

SKILL.md:3 SKILL.md:164

Weak Cryptographic Algorithm Detection

Scanner flagged lines 3 and 164 for weak cryptographic algorithm. Line 3 is YAML frontmatter description. Line 164 is OWASP category 'A04: Insecure Design'. No cryptographic code present.

Problemas de Risco Médio (1)

SKILL.md:31-32 SKILL.md:42-44 SKILL.md:49-50 SKILL.md:60-66 SKILL.md:71-72 SKILL.md:82-84 SKILL.md:89-101 SKILL.md:106-107 SKILL.md:117-123 SKILL.md:128-140 SKILL.md:145-157 SKILL.md:182-183

External Commands Detection

Scanner flagged 31 instances of 'Ruby/shell backtick execution' at various lines. These are markdown inline code formatting (backticks) used for skill references like `@scanning-tools`, not shell commands.

Auditado por: claude

Pontuação de qualidade

Arquitetura

100

Manutenibilidade

Conteúdo

Comunidade

Segurança

Conformidade com especificações

O Que Você Pode Construir

Comprehensive Security Assessment

Conduct a full security audit of a web application following structured OWASP Top 10 methodology with detailed phase-by-phase testing.

Bug Bounty Reconnaissance

Use the workflow for bug bounty hunting to systematically test target applications for vulnerabilities in a structured manner.

Security Validation

Validate that security controls are properly implemented in a web application before production deployment.

Tente Estes Prompts

Start Security Test

Use @web-security-testing to test my web application for security vulnerabilities. Target: [URL]

Test for Injection

We are in Phase 2 of @web-security-testing. Test for SQL injection on the login form at [URL] with parameter [param]

XSS Assessment

Following Phase 3 of @web-security-testing, test for XSS vulnerabilities in the comment section at [URL]

Complete Security Report

We have completed all phases of @web-security-testing. Generate a security report summarizing findings and remediation steps.

Melhores Práticas

Always obtain proper authorization before testing any application
Follow the workflow phases in order for comprehensive coverage
Document all findings with proof of concept for each vulnerability
Invoke referenced skills for specialized testing in each phase

Evitar

Skipping phases - each phase builds on previous reconnaissance
Testing in production without authorization
Not documenting findings with reproduction steps
Ignoring low-severity findings without proper risk assessment

Perguntas Frequentes

Does this skill execute actual exploits?

No. This is a workflow guidance skill that provides testing methodology and prompts. It does not execute exploits or run tools directly.

Do I need other skills to use this workflow?

Yes. This workflow references other skills like @scanning-tools, @sql-injection-testing, @xss-html-injection, and @broken-authentication for specific testing phases.

Is this suitable for production testing?

Only with proper written authorization. Always ensure you have explicit permission before testing any web application.

What OWASP categories are covered?

All OWASP Top 10 2021 categories are covered including injection, broken authentication, sensitive data exposure, XML external entities, broken access control, security misconfiguration, cross-site scripting, insecure deserialization, using vulnerable components, and insufficient logging.

Can I customize this workflow?

Yes. The workflow phases can be adapted based on your target application and scope. Add or modify phases as needed for your assessment.

What output format should I use for reports?

Follow the reporting phase guidance to document vulnerabilities with severity, proof of concept, and remediation steps. Use industry standard formats.

Detalhes do Desenvolvedor

Autor

sickn33

Licença

MIT

Repositório

https://github.com/sickn33/antigravity-awesome-skills/tree/main/skills/web-security-testing

Referência

main

Estrutura de arquivos

📄 SKILL.md