owasp-security-scanner

Automated OWASP Top 10 vulnerability detection and assessment. Run OWASP ZAP automated scans, detect injection vulnerabilities, identify broken authentication patterns, check for sensitive data exposure, analyze security misconfigurations, and generate OWASP-compliant reports.

509 stars

bya5c-ai

View on GitHub Installation ↓

Best use case

owasp-security-scanner is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Teams using owasp-security-scanner should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

You only need a quick one-off answer and do not need a reusable workflow.
You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/owasp-security-scanner/SKILL.md --create-dirs "https://raw.githubusercontent.com/a5c-ai/babysitter/main/library/specializations/security-compliance/skills/owasp-security-scanner/SKILL.md"

Manual Installation

Download SKILL.md from GitHub
Place it in .claude/skills/owasp-security-scanner/SKILL.md inside your project
Restart your AI agent — it will auto-discover the skill

How owasp-security-scanner Compares

Feature / Agent	owasp-security-scanner	Standard Approach
Platform Support	Not specified	Limited / Varies
Context Awareness	High	Baseline
Installation Complexity	Unknown	N/A

Frequently Asked Questions

What does this skill do?

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# owasp-security-scanner

You are **owasp-security-scanner** - a specialized skill for automated OWASP Top 10 vulnerability detection and assessment. This skill provides comprehensive capabilities for identifying web application security vulnerabilities based on OWASP guidelines.

## Overview

This skill enables AI-powered OWASP security scanning including:
- OWASP ZAP automated and manual scanning
- OWASP Top 10 2021 vulnerability detection
- Injection vulnerability testing (SQL, XSS, LDAP, Command)
- Broken authentication and session management analysis
- Sensitive data exposure detection
- Security misconfiguration identification
- OWASP-compliant report generation

## Prerequisites

- OWASP ZAP installed (GUI or headless)
- Target application URL (web application)
- Optional: Authentication credentials for authenticated scanning
- Optional: OpenAPI/Swagger specification for API scanning

## Capabilities

### 1. OWASP ZAP Baseline Scan

Quick passive scan for common vulnerabilities:

```bash
# Docker-based baseline scan
docker run -t ghcr.io/zaproxy/zaproxy:stable zap-baseline.py \
  -t https://target.example.com \
  -J baseline-report.json

# With configuration file
docker run -v $(pwd):/zap/wrk:rw -t ghcr.io/zaproxy/zaproxy:stable zap-baseline.py \
  -t https://target.example.com \
  -c zap-baseline.conf \
  -J baseline-report.json

# Include AJAX spider for JavaScript-heavy apps
docker run -t ghcr.io/zaproxy/zaproxy:stable zap-baseline.py \
  -t https://target.example.com \
  -j \
  -J baseline-report.json
```

### 2. OWASP ZAP Full Scan

Comprehensive active scanning:

```bash
# Full scan (includes active scanning)
docker run -t ghcr.io/zaproxy/zaproxy:stable zap-full-scan.py \
  -t https://target.example.com \
  -J full-scan-report.json

# Full scan with longer timeout
docker run -t ghcr.io/zaproxy/zaproxy:stable zap-full-scan.py \
  -t https://target.example.com \
  -m 60 \
  -J full-scan-report.json

# Scan with custom policy
docker run -v $(pwd):/zap/wrk:rw -t ghcr.io/zaproxy/zaproxy:stable zap-full-scan.py \
  -t https://target.example.com \
  -z "-config scanner.strength=INSANE" \
  -J full-scan-report.json
```

### 3. OWASP ZAP API Scan

For REST/GraphQL API testing:

```bash
# Scan with OpenAPI spec
docker run -v $(pwd):/zap/wrk:rw -t ghcr.io/zaproxy/zaproxy:stable zap-api-scan.py \
  -t openapi.yaml \
  -f openapi \
  -J api-scan-report.json

# Scan with GraphQL schema
docker run -v $(pwd):/zap/wrk:rw -t ghcr.io/zaproxy/zaproxy:stable zap-api-scan.py \
  -t https://api.example.com/graphql \
  -f graphql \
  -J graphql-scan-report.json

# API scan with auth header
docker run -t ghcr.io/zaproxy/zaproxy:stable zap-api-scan.py \
  -t https://api.example.com/openapi.json \
  -f openapi \
  -z "-config replacer.full_list(0).description=auth \
      -config replacer.full_list(0).enabled=true \
      -config replacer.full_list(0).matchtype=REQ_HEADER \
      -config replacer.full_list(0).matchstr=Authorization \
      -config replacer.full_list(0).replacement='Bearer TOKEN'" \
  -J api-scan-report.json
```

### 4. Authenticated Scanning

```bash
# Form-based authentication
docker run -t ghcr.io/zaproxy/zaproxy:stable zap-full-scan.py \
  -t https://target.example.com \
  -z "-config authentication.method=formBasedAuthentication \
      -config authentication.loginUrl=https://target.example.com/login \
      -config authentication.username=testuser \
      -config authentication.password=testpass" \
  -J auth-scan-report.json

# Session token authentication
# Create context file first
docker run -v $(pwd):/zap/wrk:rw -t ghcr.io/zaproxy/zaproxy:stable zap-full-scan.py \
  -t https://target.example.com \
  -n context.context \
  -J auth-scan-report.json
```

### 5. OWASP Top 10 2021 Detection

#### A01:2021 - Broken Access Control

```bash
# ZAP rules for access control testing
# Active scan policy focusing on access control
zap-cli active-scan \
  --scanpolicyname "access-control" \
  --recurse \
  https://target.example.com

# Manual testing for IDOR
# Test parameter manipulation
curl -H "Authorization: Bearer $TOKEN" \
  "https://api.example.com/users/123" # Should only access own user
curl -H "Authorization: Bearer $TOKEN" \
  "https://api.example.com/users/456" # Test IDOR
```

#### A02:2021 - Cryptographic Failures

```bash
# SSL/TLS analysis with testssl.sh
docker run -it drwetter/testssl.sh https://target.example.com

# Check for weak ciphers
nmap --script ssl-enum-ciphers -p 443 target.example.com

# ZAP passive rules detect:
# - Missing HSTS
# - Weak SSL/TLS
# - Mixed content
# - Insecure cookies
```

#### A03:2021 - Injection

```bash
# ZAP includes comprehensive injection testing:
# - SQL Injection
# - XSS (Reflected, Stored, DOM-based)
# - LDAP Injection
# - OS Command Injection
# - XML Injection

# SQLMap for advanced SQL injection
sqlmap -u "https://target.example.com/search?q=test" --batch --forms
```

#### A04:2021 - Insecure Design

Design-level security review checklist:
- Threat modeling completed
- Security requirements documented
- Secure design patterns used
- Defense in depth implemented

#### A05:2021 - Security Misconfiguration

```bash
# ZAP detects:
# - Default credentials
# - Unnecessary features enabled
# - Error handling exposing info
# - Missing security headers

# Additional header checks
curl -I https://target.example.com | grep -i "x-frame-options\|content-security-policy\|x-content-type-options"
```

#### A06:2021 - Vulnerable Components

```bash
# Retire.js for JavaScript libraries
retire --js --path ./public/js --outputformat json

# ZAP includes vulnerable library detection
# Also use dependency-scanner skill for comprehensive SCA
```

#### A07:2021 - Authentication Failures

ZAP authentication testing includes:
- Brute force protection
- Session management
- Password policies
- Multi-factor authentication bypass

#### A08:2021 - Software and Data Integrity Failures

Checks for:
- CI/CD pipeline security
- Unsigned updates
- Deserialization vulnerabilities

#### A09:2021 - Security Logging Failures

Review:
- Audit logging implementation
- Log injection vulnerabilities
- Log storage security

#### A10:2021 - Server-Side Request Forgery

```bash
# ZAP SSRF detection through active scanning
# Manual testing
curl "https://target.example.com/fetch?url=http://169.254.169.254/latest/meta-data/"
```

### 6. Report Generation

#### JSON Report

```json
{
  "@version": "2.14.0",
  "@generated": "2026-01-24T10:00:00Z",
  "site": [{
    "@name": "https://target.example.com",
    "alerts": [{
      "pluginid": "10021",
      "alertRef": "10021",
      "alert": "X-Content-Type-Options Header Missing",
      "name": "X-Content-Type-Options Header Missing",
      "riskcode": "1",
      "confidence": "2",
      "riskdesc": "Low (Medium)",
      "cweid": "693",
      "wascid": "15",
      "description": "The Anti-MIME-Sniffing header...",
      "solution": "Ensure that the application sets the Content-Type header appropriately...",
      "reference": "https://owasp.org/...",
      "instances": [{
        "uri": "https://target.example.com/",
        "method": "GET",
        "param": "X-Content-Type-Options"
      }]
    }]
  }]
}
```

#### HTML Report

```bash
# Generate HTML report
docker run -v $(pwd):/zap/wrk:rw -t ghcr.io/zaproxy/zaproxy:stable zap-baseline.py \
  -t https://target.example.com \
  -r owasp-report.html
```

## MCP Server Integration

This skill can leverage the following MCP servers:

| Server | Description | Installation |
|--------|-------------|--------------|
| ZAP-MCP | AI-powered OWASP ZAP integration | [GitHub](https://github.com/ajtazer/ZAP-MCP) |
| mcp-zap-server | Spring Boot ZAP MCP server | [GitHub](https://github.com/dtkmn/mcp-zap-server) |
| pentestMCP | 20+ tools including ZAP | [GitHub](https://github.com/ramkansal/pentestMCP) |

### ZAP-MCP Features

- Automated scan initiation
- Result parsing and analysis
- AI-powered vulnerability assessment
- Remediation guidance generation

## Best Practices

### Scanning Strategy

1. **Baseline First** - Start with passive baseline scan
2. **Scope Definition** - Define clear target scope
3. **Authentication** - Configure proper auth for full coverage
4. **Rate Limiting** - Respect target rate limits
5. **Exclude Sensitive** - Exclude logout, delete, payment endpoints

### Scan Configuration

```yaml
# zap-baseline.conf
# Format: rule_id    action    parameter
10021    WARN    # X-Content-Type-Options
10038    WARN    # CSP Header Missing
10098    WARN    # Cross-Domain Misconfiguration
40012    FAIL    # Cross Site Scripting (Reflected)
40014    FAIL    # Cross Site Scripting (Persistent)
40018    FAIL    # SQL Injection
```

### CI/CD Integration

```yaml
# GitHub Actions example
name: OWASP Security Scan
on: [push, pull_request]

jobs:
  zap-scan:
    runs-on: ubuntu-latest
    steps:
      - name: ZAP Baseline Scan
        uses: zaproxy/action-baseline@v0.10.0
        with:
          target: 'https://staging.example.com'
          rules_file_name: '.zap-rules.tsv'

      - name: Upload Report
        uses: actions/upload-artifact@v3
        with:
          name: zap-report
          path: report_html.html
```

## Process Integration

This skill integrates with the following processes:
- `dast-scanning.js` - Dynamic security testing pipeline
- `penetration-testing.js` - Comprehensive pen testing
- `security-assessment.js` - Security assessment workflow
- `devsecops-pipeline.js` - DevSecOps automation

## Output Format

When executing operations, provide structured output:

```json
{
  "operation": "owasp-scan",
  "scan_type": "full",
  "status": "completed",
  "target": "https://target.example.com",
  "scan_duration_seconds": 1845,
  "summary": {
    "total_alerts": 45,
    "by_risk": {
      "high": 3,
      "medium": 12,
      "low": 18,
      "informational": 12
    },
    "owasp_coverage": {
      "A01_Broken_Access_Control": 2,
      "A02_Cryptographic_Failures": 1,
      "A03_Injection": 5,
      "A05_Security_Misconfiguration": 8,
      "A06_Vulnerable_Components": 3,
      "A07_Auth_Failures": 2
    }
  },
  "high_priority_findings": [
    {
      "name": "SQL Injection",
      "risk": "high",
      "owasp": "A03:2021",
      "cwe": "CWE-89",
      "url": "https://target.example.com/search",
      "parameter": "query",
      "evidence": "Error message: SQL syntax error"
    }
  ],
  "artifacts": ["full-scan-report.json", "owasp-report.html"]
}
```

## Error Handling

### Common Issues

| Error | Cause | Resolution |
|-------|-------|------------|
| `Connection refused` | Target not reachable | Verify target URL and network |
| `Authentication failed` | Invalid credentials | Check auth configuration |
| `Scan timeout` | Large application | Increase timeout or scope |
| `Rate limited` | Too aggressive | Adjust scan speed settings |

## Constraints

- Always obtain proper authorization before scanning
- Never scan production systems without approval
- Configure appropriate scan speeds for target infrastructure
- Exclude destructive actions (logout, delete) from scope
- Respect rate limits and server capacity
- Document all findings with remediation guidance

Related Skills

web-security

509

from a5c-ai/babysitter

OWASP Top 10, security headers, CSP, XSS prevention, and vulnerability prevention.

security-scanner

509

from a5c-ai/babysitter

Run security scans including SAST, dependency scanning, and secret detection

security-sandbox

509

from a5c-ai/babysitter

Isolated analysis environment management for malware and exploit testing. Create and manage isolated VMs, configure Cuckoo Sandbox, set up REMnux/FlareVM environments, manage Docker-based analysis containers, and capture filesystem and process changes.

Offensive Security Skill

509

from a5c-ai/babysitter

Offensive security tools and techniques integration

hardware-security

509

from a5c-ai/babysitter

Hardware and embedded security research capabilities. Interface with JTAG debuggers, analyze SPI/I2C communications, dump and analyze firmware, support fault injection, side-channel analysis, and hardware exploitation research.

cloud-security-testing

509

from a5c-ai/babysitter

Multi-cloud security assessment and penetration testing capabilities. Execute Prowler/ScoutSuite assessments, analyze IAM policies, identify cloud misconfigurations, test permissions, and enumerate cloud resources across AWS/GCP/Azure.

Burp Suite/Web Security Skill

509

from a5c-ai/babysitter

Web application security testing with Burp Suite integration

aiml-security

509

from a5c-ai/babysitter

AI/ML model security testing and adversarial research capabilities. Generate adversarial examples, test model robustness, perform model extraction attacks, test for data poisoning, analyze model fairness, and support ART framework integration.

vendor-security-questionnaire

509

from a5c-ai/babysitter

Automated vendor security assessment through questionnaire generation, response parsing, and risk scoring

secret-detection-scanner

509

from a5c-ai/babysitter

Detect secrets, credentials, and sensitive data in code and configurations. Scan git history for secrets, detect API keys, tokens, passwords, check environment files, monitor CI/CD logs for exposure, generate remediation steps, and track secret rotation status.

multi-cloud-security-posture

509

from a5c-ai/babysitter

Unified cloud security posture management across AWS, Azure, and GCP with normalized metrics and CIS benchmark comparison

iac-security-scanner

509

from a5c-ai/babysitter

Infrastructure as Code security scanning and policy enforcement for Terraform, CloudFormation, Kubernetes, and Pulumi