web-security-testing
Web application security testing workflow for OWASP Top 10 vulnerabilities including injection, XSS, authentication flaws, and access control issues.
Best use case
web-security-testing is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Web application security testing workflow for OWASP Top 10 vulnerabilities including injection, XSS, authentication flaws, and access control issues.
Teams using web-security-testing should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/web-security-testing/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How web-security-testing Compares
| Feature / Agent | web-security-testing | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Web application security testing workflow for OWASP Top 10 vulnerabilities including injection, XSS, authentication flaws, and access control issues.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Web Security Testing Workflow ## Overview Specialized workflow for testing web applications against OWASP Top 10 vulnerabilities including injection attacks, XSS, broken authentication, and access control issues. ## When to Use This Workflow Use this workflow when: - Testing web application security - Performing OWASP Top 10 assessment - Conducting penetration tests - Validating security controls - Bug bounty hunting ## Workflow Phases ### Phase 1: Reconnaissance #### Skills to Invoke - `scanning-tools` - Security scanning - `top-web-vulnerabilities` - OWASP knowledge #### Actions 1. Map application surface 2. Identify technologies 3. Discover endpoints 4. Find subdomains 5. Document findings #### Copy-Paste Prompts ``` Use @scanning-tools to perform web application reconnaissance ``` ### Phase 2: Injection Testing #### Skills to Invoke - `sql-injection-testing` - SQL injection - `sqlmap-database-pentesting` - SQLMap #### Actions 1. Test SQL injection 2. Test NoSQL injection 3. Test command injection 4. Test LDAP injection 5. Document vulnerabilities #### Copy-Paste Prompts ``` Use @sql-injection-testing to test for SQL injection ``` ``` Use @sqlmap-database-pentesting to automate SQL injection testing ``` ### Phase 3: XSS Testing #### Skills to Invoke - `xss-html-injection` - XSS testing - `html-injection-testing` - HTML injection #### Actions 1. Test reflected XSS 2. Test stored XSS 3. Test DOM-based XSS 4. Test XSS filters 5. Document findings #### Copy-Paste Prompts ``` Use @xss-html-injection to test for cross-site scripting ``` ### Phase 4: Authentication Testing #### Skills to Invoke - `broken-authentication` - Authentication testing #### Actions 1. Test credential stuffing 2. Test brute force protection 3. Test session management 4. Test password policies 5. Test MFA implementation #### Copy-Paste Prompts ``` Use @broken-authentication to test authentication security ``` ### Phase 5: Access Control Testing #### Skills to Invoke - `idor-testing` - IDOR testing - `file-path-traversal` - Path traversal #### Actions 1. Test vertical privilege escalation 2. Test horizontal privilege escalation 3. Test IDOR vulnerabilities 4. Test directory traversal 5. Test unauthorized access #### Copy-Paste Prompts ``` Use @idor-testing to test for insecure direct object references ``` ``` Use @file-path-traversal to test for path traversal ``` ### Phase 6: Security Headers #### Skills to Invoke - `api-security-best-practices` - Security headers #### Actions 1. Check CSP implementation 2. Verify HSTS configuration 3. Test X-Frame-Options 4. Check X-Content-Type-Options 5. Verify referrer policy #### Copy-Paste Prompts ``` Use @api-security-best-practices to audit security headers ``` ### Phase 7: Reporting #### Skills to Invoke - `reporting-standards` - Security reporting #### Actions 1. Document vulnerabilities 2. Assess risk levels 3. Provide remediation 4. Create proof of concept 5. Generate report #### Copy-Paste Prompts ``` Use @reporting-standards to create security report ``` ## OWASP Top 10 Checklist - [ ] A01: Broken Access Control - [ ] A02: Cryptographic Failures - [ ] A03: Injection - [ ] A04: Insecure Design - [ ] A05: Security Misconfiguration - [ ] A06: Vulnerable Components - [ ] A07: Authentication Failures - [ ] A08: Software/Data Integrity - [ ] A09: Logging/Monitoring - [ ] A10: SSRF ## Quality Gates - [ ] All OWASP Top 10 tested - [ ] Vulnerabilities documented - [ ] Proof of concepts captured - [ ] Remediation provided - [ ] Report generated ## Related Workflow Bundles - `security-audit` - Security auditing - `api-security-testing` - API security - `wordpress-security` - WordPress security
Related Skills
unit-testing-test-generate
Generate comprehensive, maintainable unit tests across languages with strong coverage and edge case focus.
wordpress-penetration-testing
This skill should be used when the user asks to "pentest WordPress sites", "scan WordPress for vulnerabilities", "enumerate WordPress users, themes, or plugins", "exploit WordPress vu...
testing-handbook-generator
Meta-skill that analyzes the Trail of Bits Testing Handbook (appsec.guide) and generates Claude Code skills for security testing tools and techniques. Use when creating new skills based on handbook content.
ssh-penetration-testing
This skill should be used when the user asks to "pentest SSH services", "enumerate SSH configurations", "brute force SSH credentials", "exploit SSH vulnerabilities", "perform SSH tu...
sql-injection-testing
This skill should be used when the user asks to "test for SQL injection vulnerabilities", "perform SQLi attacks", "bypass authentication using SQL injection", "extract database inform...
solidity-security
Master smart contract security best practices to prevent common vulnerabilities and implement secure Solidity patterns. Use when writing smart contracts, auditing existing contracts, or implementin...
smtp-penetration-testing
This skill should be used when the user asks to "perform SMTP penetration testing", "enumerate email users", "test for open mail relays", "grab SMTP banners", "brute force email cre...
securitytrails-automation
Automate Securitytrails tasks via Rube MCP (Composio). Always search tools first for current schemas.
security-threat-model
Repository-grounded threat modeling that enumerates trust boundaries, assets, attacker capabilities, abuse paths, and mitigations, and writes a concise Markdown threat model. Use when the user asks to threat model a codebase or path, enumerate threats or abuse paths, or perform AppSec threat modeling. Do NOT use for general architecture summaries, code review, security best practices (use security-best-practices), or non-security design work.
security-scanning-security-sast
Static Application Security Testing (SAST) for code vulnerability analysis across multiple languages and frameworks
security-scanning-security-hardening
Coordinate multi-layer security scanning and hardening across application, infrastructure, and compliance controls.
security-scanning-security-dependencies
You are a security expert specializing in dependency vulnerability analysis, SBOM generation, and supply chain security. Scan project dependencies across ecosystems to identify vulnerabilities, ass...