web-security-testing
Web application security testing workflow for OWASP Top 10 vulnerabilities including injection, XSS, authentication flaws, and access control issues.
Best use case
web-security-testing is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Web application security testing workflow for OWASP Top 10 vulnerabilities including injection, XSS, authentication flaws, and access control issues.
Teams using web-security-testing should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/web-security-testing/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How web-security-testing Compares
| Feature / Agent | web-security-testing | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Web application security testing workflow for OWASP Top 10 vulnerabilities including injection, XSS, authentication flaws, and access control issues.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Web Security Testing Workflow ## Overview Specialized workflow for testing web applications against OWASP Top 10 vulnerabilities including injection attacks, XSS, broken authentication, and access control issues. ## When to Use This Workflow Use this workflow when: - Testing web application security - Performing OWASP Top 10 assessment - Conducting penetration tests - Validating security controls - Bug bounty hunting ## Workflow Phases ### Phase 1: Reconnaissance #### Skills to Invoke - `scanning-tools` - Security scanning - `top-web-vulnerabilities` - OWASP knowledge #### Actions 1. Map application surface 2. Identify technologies 3. Discover endpoints 4. Find subdomains 5. Document findings #### Copy-Paste Prompts ``` Use @scanning-tools to perform web application reconnaissance ``` ### Phase 2: Injection Testing #### Skills to Invoke - `sql-injection-testing` - SQL injection - `sqlmap-database-pentesting` - SQLMap #### Actions 1. Test SQL injection 2. Test NoSQL injection 3. Test command injection 4. Test LDAP injection 5. Document vulnerabilities #### Copy-Paste Prompts ``` Use @sql-injection-testing to test for SQL injection ``` ``` Use @sqlmap-database-pentesting to automate SQL injection testing ``` ### Phase 3: XSS Testing #### Skills to Invoke - `xss-html-injection` - XSS testing - `html-injection-testing` - HTML injection #### Actions 1. Test reflected XSS 2. Test stored XSS 3. Test DOM-based XSS 4. Test XSS filters 5. Document findings #### Copy-Paste Prompts ``` Use @xss-html-injection to test for cross-site scripting ``` ### Phase 4: Authentication Testing #### Skills to Invoke - `broken-authentication` - Authentication testing #### Actions 1. Test credential stuffing 2. Test brute force protection 3. Test session management 4. Test password policies 5. Test MFA implementation #### Copy-Paste Prompts ``` Use @broken-authentication to test authentication security ``` ### Phase 5: Access Control Testing #### Skills to Invoke - `idor-testing` - IDOR testing - `file-path-traversal` - Path traversal #### Actions 1. Test vertical privilege escalation 2. Test horizontal privilege escalation 3. Test IDOR vulnerabilities 4. Test directory traversal 5. Test unauthorized access #### Copy-Paste Prompts ``` Use @idor-testing to test for insecure direct object references ``` ``` Use @file-path-traversal to test for path traversal ``` ### Phase 6: Security Headers #### Skills to Invoke - `api-security-best-practices` - Security headers #### Actions 1. Check CSP implementation 2. Verify HSTS configuration 3. Test X-Frame-Options 4. Check X-Content-Type-Options 5. Verify referrer policy #### Copy-Paste Prompts ``` Use @api-security-best-practices to audit security headers ``` ### Phase 7: Reporting #### Skills to Invoke - `reporting-standards` - Security reporting #### Actions 1. Document vulnerabilities 2. Assess risk levels 3. Provide remediation 4. Create proof of concept 5. Generate report #### Copy-Paste Prompts ``` Use @reporting-standards to create security report ``` ## OWASP Top 10 Checklist - [ ] A01: Broken Access Control - [ ] A02: Cryptographic Failures - [ ] A03: Injection - [ ] A04: Insecure Design - [ ] A05: Security Misconfiguration - [ ] A06: Vulnerable Components - [ ] A07: Authentication Failures - [ ] A08: Software/Data Integrity - [ ] A09: Logging/Monitoring - [ ] A10: SSRF ## Quality Gates - [ ] All OWASP Top 10 tested - [ ] Vulnerabilities documented - [ ] Proof of concepts captured - [ ] Remediation provided - [ ] Report generated ## Related Workflow Bundles - `security-audit` - Security auditing - `api-security-testing` - API security - `wordpress-security` - WordPress security
Related Skills
wordpress-penetration-testing
This skill should be used when the user asks to "pentest WordPress sites", "scan WordPress for vulnerabilities", "enumerate WordPress users, themes, or plugins", "exploit WordPress vu...
webapp-testing
Toolkit for interacting with and testing local web applications using Playwright. Supports verifying frontend functionality, debugging UI behavior, capturing browser screenshots, and viewing browse...
web3-testing
Test smart contracts comprehensively using Hardhat and Foundry with unit tests, integration tests, and mainnet forking. Use when testing Solidity contracts, setting up blockchain test suites, or va...
unit-testing-test-generate
Generate comprehensive, maintainable unit tests across languages with strong coverage and edge case focus.
testing-qa
Comprehensive testing and QA workflow covering unit testing, integration testing, E2E testing, browser automation, and quality assurance.
testing-patterns
Jest testing patterns, factory functions, mocking strategies, and TDD workflow. Use when writing unit tests, creating test factories, or following TDD red-green-refactor cycle.
temporal-python-testing
Test Temporal workflows with pytest, time-skipping, and mocking strategies. Covers unit testing, integration testing, replay testing, and local development setup. Use when implementing Temporal wor...
ssh-penetration-testing
This skill should be used when the user asks to "pentest SSH services", "enumerate SSH configurations", "brute force SSH credentials", "exploit SSH vulnerabilities", "perform SSH tu...
sqlmap-database-pentesting
This skill should be used when the user asks to "automate SQL injection testing," "enumerate database structure," "extract database credentials using sqlmap," "dump tables and columns...
sql-injection-testing
This skill should be used when the user asks to "test for SQL injection vulnerabilities", "perform SQLi attacks", "bypass authentication using SQL injection", "extract database inform...
solidity-security
Master smart contract security best practices to prevent common vulnerabilities and implement secure Solidity patterns. Use when writing smart contracts, auditing existing contracts, or implementin...
smtp-penetration-testing
This skill should be used when the user asks to "perform SMTP penetration testing", "enumerate email users", "test for open mail relays", "grab SMTP banners", "brute force email cre...