web-security-testing
Web application security testing workflow for OWASP Top 10 vulnerabilities including injection, XSS, authentication flaws, and access control issues.
Best use case
web-security-testing is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Web application security testing workflow for OWASP Top 10 vulnerabilities including injection, XSS, authentication flaws, and access control issues.
Teams using web-security-testing should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/web-security-testing/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How web-security-testing Compares
| Feature / Agent | web-security-testing | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Web application security testing workflow for OWASP Top 10 vulnerabilities including injection, XSS, authentication flaws, and access control issues.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Web Security Testing Workflow ## Overview Specialized workflow for testing web applications against OWASP Top 10 vulnerabilities including injection attacks, XSS, broken authentication, and access control issues. ## When to Use This Workflow Use this workflow when: - Testing web application security - Performing OWASP Top 10 assessment - Conducting penetration tests - Validating security controls - Bug bounty hunting ## Workflow Phases ### Phase 1: Reconnaissance #### Skills to Invoke - `scanning-tools` - Security scanning - `top-web-vulnerabilities` - OWASP knowledge #### Actions 1. Map application surface 2. Identify technologies 3. Discover endpoints 4. Find subdomains 5. Document findings #### Copy-Paste Prompts ``` Use @scanning-tools to perform web application reconnaissance ``` ### Phase 2: Injection Testing #### Skills to Invoke - `sql-injection-testing` - SQL injection - `sqlmap-database-pentesting` - SQLMap #### Actions 1. Test SQL injection 2. Test NoSQL injection 3. Test command injection 4. Test LDAP injection 5. Document vulnerabilities #### Copy-Paste Prompts ``` Use @sql-injection-testing to test for SQL injection ``` ``` Use @sqlmap-database-pentesting to automate SQL injection testing ``` ### Phase 3: XSS Testing #### Skills to Invoke - `xss-html-injection` - XSS testing - `html-injection-testing` - HTML injection #### Actions 1. Test reflected XSS 2. Test stored XSS 3. Test DOM-based XSS 4. Test XSS filters 5. Document findings #### Copy-Paste Prompts ``` Use @xss-html-injection to test for cross-site scripting ``` ### Phase 4: Authentication Testing #### Skills to Invoke - `broken-authentication` - Authentication testing #### Actions 1. Test credential stuffing 2. Test brute force protection 3. Test session management 4. Test password policies 5. Test MFA implementation #### Copy-Paste Prompts ``` Use @broken-authentication to test authentication security ``` ### Phase 5: Access Control Testing #### Skills to Invoke - `idor-testing` - IDOR testing - `file-path-traversal` - Path traversal #### Actions 1. Test vertical privilege escalation 2. Test horizontal privilege escalation 3. Test IDOR vulnerabilities 4. Test directory traversal 5. Test unauthorized access #### Copy-Paste Prompts ``` Use @idor-testing to test for insecure direct object references ``` ``` Use @file-path-traversal to test for path traversal ``` ### Phase 6: Security Headers #### Skills to Invoke - `api-security-best-practices` - Security headers #### Actions 1. Check CSP implementation 2. Verify HSTS configuration 3. Test X-Frame-Options 4. Check X-Content-Type-Options 5. Verify referrer policy #### Copy-Paste Prompts ``` Use @api-security-best-practices to audit security headers ``` ### Phase 7: Reporting #### Skills to Invoke - `reporting-standards` - Security reporting #### Actions 1. Document vulnerabilities 2. Assess risk levels 3. Provide remediation 4. Create proof of concept 5. Generate report #### Copy-Paste Prompts ``` Use @reporting-standards to create security report ``` ## OWASP Top 10 Checklist - [ ] A01: Broken Access Control - [ ] A02: Cryptographic Failures - [ ] A03: Injection - [ ] A04: Insecure Design - [ ] A05: Security Misconfiguration - [ ] A06: Vulnerable Components - [ ] A07: Authentication Failures - [ ] A08: Software/Data Integrity - [ ] A09: Logging/Monitoring - [ ] A10: SSRF ## Quality Gates - [ ] All OWASP Top 10 tested - [ ] Vulnerabilities documented - [ ] Proof of concepts captured - [ ] Remediation provided - [ ] Report generated ## Related Workflow Bundles - `security-audit` - Security auditing - `api-security-testing` - API security - `wordpress-security` - WordPress security
Related Skills
web-app-testing
Gemini 2.5 Computer Use for browser automation with VISIBLE local browser. Watch Gemini AI control your browser in real-time. Perfect for web app testing, automation demos, and debugging.
wallaby-testing
Check test status and debug failing tests using Wallaby.js real-time test results. Use after making code changes to verify tests pass, when checking if tests are failing, debugging test errors, analyzing assertions, inspecting runtime values, checking coverage, updating snapshots, or when user mentions Wallaby, tests, coverage, or test status.
unit-testing-test-generate
Generate comprehensive, maintainable unit tests across languages with strong coverage and edge case focus.
typo3-security
Security hardening checklist and best practices for TYPO3 v13/v14 installations, covering configuration, file permissions, and common vulnerabilities.
treido-testing
Testing specialist for Treido (Playwright + Next.js). Use for writing/debugging E2E tests, deflaking, selectors, auth state, parallel execution, and CI stability.
testing-workflow
Meta-skill that orchestrates comprehensive testing across a project by coordinating testing-patterns, e2e-testing, and testing agents. Use when setting up testing for a new project, improving coverage for an existing project, establishing a testing strategy, or verifying quality before a release.
testing-strategy
Comprehensive guide for implementing AIDB tests following E2E-first philosophy, DebugInterface abstraction, and MCP response health standards
testing-strategies
Testing strategies, patterns, and best practices for production code
testing-services
Writes unit tests for Python service classes using Arrange-Act-Assert pattern with proper mocking at boundaries. Tests behavior, not implementation. Mocks external systems only (API calls, file I/O, databases). Use when writing tests for services or fixing test coverage.
testing-quality
Plans and executes comprehensive testing strategy across frontend, backend, and AI tiers. Activates when writing tests, testing features, setting up test infrastructure, checking coverage, running E2E tests, or performance testing. Does not handle writing production code (backend-developer or frontend-developer), vulnerability/security review (security), or infrastructure deployment (devops).
testing-patterns
Testing patterns using bun:test with in-memory SQLite. Use when writing unit tests, integration tests, or router tests.
testing-obsessive
This skill should be used when the user mentions "write tests", "test coverage", "testing strategy", "unit tests", "integration tests", "e2e tests", "vitest", "jest", discusses testing approaches, asks about test patterns, or works on test files. Addresses testing fundamentals with emphasis on Vitest and Svelte component testing using pragmatic, risk-based approaches.