OWASP Category Mapping

Use this skill when the user asks for OWASP Top 10 mapping, CWE alignment, or standards-oriented reporting. The directory name stays `owasp-2025` for backward compatibility, but external reports should use official OWASP Top 10 names.

14 stars

Best use case

OWASP Category Mapping is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Use this skill when the user asks for OWASP Top 10 mapping, CWE alignment, or standards-oriented reporting. The directory name stays `owasp-2025` for backward compatibility, but external reports should use official OWASP Top 10 names.

Teams using OWASP Category Mapping should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/owasp-2025/SKILL.md --create-dirs "https://raw.githubusercontent.com/allsmog/vuln-scout/main/vuln-scout/skills/owasp-2025/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/owasp-2025/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How OWASP Category Mapping Compares

Feature / AgentOWASP Category MappingStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

Use this skill when the user asks for OWASP Top 10 mapping, CWE alignment, or standards-oriented reporting. The directory name stays `owasp-2025` for backward compatibility, but external reports should use official OWASP Top 10 names.

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# OWASP Top 10 Reference

## Purpose

Map VulnScout findings to official OWASP Top 10 category names, highlight what the plugin covers well, and keep reports aligned with widely recognized security terminology.

## Reporting Rule

- Use official OWASP Top 10 names in user-facing reports.
- Treat the `owasp-2025` directory name as a compatibility alias, not as proof of a future OWASP taxonomy.
- Prefer CWE plus concrete vulnerability class when a finding does not fit cleanly into a single OWASP bucket.

## Coverage Overview

| OWASP Top 10 | VulnScout Coverage | Primary Skills |
|--------------|--------------------|----------------|
| A01: Broken Access Control | Strong | `business-logic`, `threat-modeling` |
| A02: Cryptographic Failures | Strong | `cryptographic-failures` |
| A03: Injection | Strong | `vuln-patterns`, `dangerous-functions`, `framework-patterns` |
| A04: Insecure Design | Strong | `business-logic`, `threat-modeling` |
| A05: Security Misconfiguration | Strong | `security-misconfiguration`, `framework-patterns` |
| A06: Vulnerable and Outdated Components | Out of scope | *(dependency and SBOM tooling)* |
| A07: Identification and Authentication Failures | Moderate | `vuln-patterns`, `business-logic` |
| A08: Software and Data Integrity Failures | Moderate | `vuln-patterns`, `sensitive-data-leakage` |
| A09: Security Logging and Monitoring Failures | Strong | `logging-failures`, `sensitive-data-leakage` |
| A10: Server-Side Request Forgery | Strong | `vuln-patterns`, `framework-patterns`, `vulnerability-chains` |

## Mapping Guidance

### A01: Broken Access Control

Use for:
- IDOR
- missing authorization checks
- role and tenant boundary bypasses
- unsafe direct access to user-controlled object identifiers

Common CWE anchors:
- CWE-284
- CWE-285
- CWE-639
- CWE-862
- CWE-863

### A02: Cryptographic Failures

Use for:
- weak or obsolete algorithms
- hardcoded secrets
- insecure randomness
- missing encryption on sensitive data paths

Common CWE anchors:
- CWE-326
- CWE-327
- CWE-330
- CWE-338
- CWE-798

### A03: Injection

Use for:
- SQL injection
- command injection
- SSTI
- XSS
- LDAP injection
- unsafe interpreter invocation

Common CWE anchors:
- CWE-77
- CWE-78
- CWE-79
- CWE-89
- CWE-90
- CWE-94

### A04: Insecure Design

Use for:
- missing rate limits or workflow controls
- trust boundary violations
- dangerous state transitions
- business logic flaws that are not just a missing authorization check

Common CWE anchors:
- CWE-209
- CWE-256
- CWE-501
- CWE-522
- CWE-656

### A05: Security Misconfiguration

Use for:
- debug mode in production
- insecure defaults
- exposed internal tooling
- missing hardening headers or framework safety controls

Common CWE anchors:
- CWE-16
- CWE-209
- CWE-215
- CWE-548
- CWE-756

### A06: Vulnerable and Outdated Components

Out of scope for this plugin's code-review workflow. If the user needs this category:
- hand off to dependency scanning, SBOM, or supply-chain tooling
- do not overstate coverage in VulnScout-generated reports

### A07: Identification and Authentication Failures

Use for:
- session fixation
- weak password or token validation
- authentication bypass
- unsafe MFA or reset flows

Common CWE anchors:
- CWE-287
- CWE-288
- CWE-294
- CWE-307
- CWE-384
- CWE-640

### A08: Software and Data Integrity Failures

Use for:
- unsafe deserialization
- integrity bypasses in update or build flows
- unsigned or unverified data loading
- missing signature verification

Common CWE anchors:
- CWE-345
- CWE-353
- CWE-502
- CWE-565
- CWE-784
- CWE-829

### A09: Security Logging and Monitoring Failures

Use for:
- log injection
- secrets in logs
- missing security event coverage
- missing or unusable audit trails for critical actions

Common CWE anchors:
- CWE-117
- CWE-223
- CWE-532
- CWE-778

### A10: Server-Side Request Forgery

Use for:
- server-side fetches of attacker-controlled URLs
- metadata service reachability
- internal pivoting through HTTP clients
- webhook, callback, and proxy misuse without host or protocol controls

Common CWE anchors:
- CWE-918

## Reporting Template

When mapping a finding, prefer this shape:

```markdown
- OWASP: A03 Injection
- CWE: CWE-89
- Why it fits: user-controlled input reaches SQL execution without parameter binding
```

## Guardrails

- Do not upgrade a `hotspot` into a reportable finding just to fill an OWASP bucket.
- If the best label is uncertain, keep the concrete vulnerability type and CWE, and state the OWASP category as provisional.
- Unsupported-language verification should remain `na_cpg`, not `false_positive`.

Related Skills

OWASP API Security Top 10

14
from allsmog/vuln-scout

This skill should be used when the user asks about "API security", "OWASP API Top 10", "BOLA", "broken object level authorization", "API authentication", "mass assignment", "GraphQL security", "gRPC security", "rate limiting", "API abuse", "REST API vulnerabilities", or needs to identify API-specific security issues during whitebox security review.

Compliance Mapping

14
from allsmog/vuln-scout

This skill should be used when the user asks about "compliance mapping", "PCI-DSS", "HIPAA", "SOC 2", "NIST CSF", "regulatory requirements", "compliance report", or needs to map security findings to compliance framework requirements.

Workspace Discovery

14
from allsmog/vuln-scout

This skill should be used when the user asks to "detect workspaces", "find packages", "list monorepo packages", "workspace structure", "monorepo analysis", or needs to identify workspace/package boundaries in a codebase for focused security analysis.

vulnerability-chains

14
from allsmog/vuln-scout

This skill should be used when the user asks about "vulnerability chains", "chained exploits", "multi-step attacks", "SSRF to RCE", "pivot attacks", or needs to identify how vulnerabilities in different components can be combined during whitebox security review.

Vulnerability Patterns

14
from allsmog/vuln-scout

This skill should be used when the user asks about "vulnerability patterns", "how to find SQL injection", "XSS patterns", "command injection techniques", "OWASP vulnerabilities", "common web vulnerabilities", "exploitation patterns", or needs to understand how specific vulnerability classes work during whitebox security review.

Threat Modeling

14
from allsmog/vuln-scout

This skill should be used when the user asks about "threat model", "STRIDE", "data flow diagram", "attack surface", "threat analysis", "security architecture", "component threats", "trust boundaries", "technology decomposition", or needs systematic threat identification during whitebox security review.

verify-finding

14
from allsmog/vuln-scout

Drive a single finding through CPG verification and false-positive triage.

start-audit

14
from allsmog/vuln-scout

Guided first-run security audit: doctor, scope, threats, scan, verify, report.

scope-repo

14
from allsmog/vuln-scout

Decide audit boundaries for large or monorepo targets and write audit-plan.md.

review-pr

14
from allsmog/vuln-scout

Diff-aware PR security review with verified findings and PR comment payload.

package-evidence

14
from allsmog/vuln-scout

Bundle findings, reports, audit plan, and ledger into one evidence zip.

Sensitive Data Leakage

14
from allsmog/vuln-scout

Detect ANY credential/secret flowing to ANY output sink. Use when asked about "credential leakage", "secret logging", "sensitive data exposure", "CWE-532", "password in logs", "token exposure", or security logging issues.