iblai-security-owasp-audit
Audit application source code against the OWASP Top 10 vulnerability categories. Use when the user mentions 'OWASP,' 'security audit,' 'code security review,' 'vulnerability audit,' 'find vulnerabilities,' 'secure code review,' 'security review,' or wants to check their codebase for common security weaknesses.
Best use case
iblai-security-owasp-audit is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Audit application source code against the OWASP Top 10 vulnerability categories. Use when the user mentions 'OWASP,' 'security audit,' 'code security review,' 'vulnerability audit,' 'find vulnerabilities,' 'secure code review,' 'security review,' or wants to check their codebase for common security weaknesses.
Teams using iblai-security-owasp-audit should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/iblai-security-owasp-audit/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How iblai-security-owasp-audit Compares
| Feature / Agent | iblai-security-owasp-audit | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Audit application source code against the OWASP Top 10 vulnerability categories. Use when the user mentions 'OWASP,' 'security audit,' 'code security review,' 'vulnerability audit,' 'find vulnerabilities,' 'secure code review,' 'security review,' or wants to check their codebase for common security weaknesses.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# /iblai-security-owasp-audit Run a systematic source-code audit against the OWASP Top 10 (2021). Ship concrete findings with file/line references and remediation. Do NOT write exploits. Every finding ships with a fix. ## Step 0: Scope the Audit 1. Identify language, framework, and architecture. 2. Map entry points — routes, API handlers, form processors. 3. Trace data flows — user input -> processing -> storage -> output. 4. Locate authentication and authorization boundaries. Multi-tenant B2B SaaS (the typical ibl.ai shape) makes A01 and permission-bypass paths the highest-leverage targets — sweep those first. ## Audit Checklist Walk each category. Grep for known sinks, then read flagged files to confirm. ### A01: Broken Access Control - Endpoints/routes missing authorization checks - IDOR — user-controlled IDs without ownership verification - Missing CSRF protections on state-changing requests - Role checks enforced only on the frontend, not server-side - Grep for: direct object references, missing auth middleware, user ID pulled from request params ### A02: Cryptographic Failures - Hardcoded secrets, API keys, or passwords in source - Weak hashing (MD5, SHA1 for passwords instead of bcrypt/argon2/scrypt) - Sensitive data in logs, URLs, or localStorage - Missing encryption at rest or in transit - Grep for: `password`, `secret`, `api_key`, `private_key`, `MD5`, `SHA1`, `base64` ### A03: Injection - **SQL injection:** raw queries with string concatenation, missing parameterized queries - **NoSQL injection:** unsanitized user input in MongoDB/Convex queries - **Command injection:** `exec()`, `spawn()`, `system()` with user input - **XSS:** unescaped user input in HTML, `dangerouslySetInnerHTML`, `v-html` - **Template injection:** user input in template literals - Grep for: `exec(`, `eval(`, `innerHTML`, `dangerouslySetInnerHTML`, `$where`, raw SQL strings ### A04: Insecure Design - Authentication flows with logic flaws - Missing rate limiting on sensitive endpoints (login, password reset, API) - Business-logic constraints enforced only client-side ### A05: Security Misconfiguration - Debug mode enabled in production configs - Overly permissive CORS (`Access-Control-Allow-Origin: *`) - Missing HTTP security headers (CSP, HSTS, X-Frame-Options, X-Content-Type-Options) - Default credentials or configs shipped - Verbose error messages leaking stack traces or internals ### A06: Vulnerable Components - Run `npm audit` (Node), `pip audit` (Python), or equivalent - Check lock files for known-vulnerable versions - Flag dependencies with critical CVEs ### A07: Authentication Failures - Weak password policies - Session management issues (missing secure/httpOnly flags, no expiry, no rotation) - Missing rate limiting on login (credential-stuffing risk) - Broken password reset flows ### A08: Data Integrity Failures - Unsafe deserialization of user input - Missing integrity checks on CI/CD pipelines - No lockfile integrity verification (SRI hashes) ### A09: Logging & Monitoring Failures - Auth events not logged (login, failure, privilege changes) - Sensitive data written to logs (passwords, tokens, PII) - No alerting on suspicious patterns ### A10: SSRF - User-controlled URLs passed to server-side HTTP requests - Missing URL validation and allowlisting - Grep for: `fetch(`, `axios(`, `http.get(`, `urllib`, `requests.get(` with user input ## Report Format For each finding: ```markdown #### [SEVERITY] A0X: [Title] **File:** `path/to/file.ts:42` **CWE:** CWE-XXX **Description:** [What the vulnerability is and why it matters] **Vulnerable Code:** [code snippet] **Remediation:** [Fixed code snippet with explanation] ``` Wrap in an executive summary: ```markdown # Security Audit Report ## Project: [name] ## Stack: [technologies] ## Date: [date] ### Summary - Total findings: X - Critical: X | High: X | Medium: X | Low: X | Info: X ### Findings [Individual findings as above] ### Prioritized Remediation Plan 1. [Critical fixes — immediate] 2. [High fixes — this week] 3. [Medium/Low — scheduled] ``` ## Boundaries - Only audit code the user provides or points you to. - Always include remediation — fixes, not exploits. - Flag low-confidence findings as "Potential" rather than confirmed. - If the codebase is too large for a full audit, prioritize auth, input handling, and data-access layers. - Refuse requests to insert backdoors or weaken security controls. ## References OWASP Top 10 (2021), OWASP Code Review Guide, CWE Top 25
Related Skills
iblai-workflow
Add workflow builder components to your Next.js app
iblai-security-recon
Perform structured reconnaissance and attack surface enumeration for authorized penetration tests, CTF challenges, and bug bounty programs. Use when the user mentions 'recon,' 'reconnaissance,' 'enumerate,' 'attack surface,' 'subdomain enumeration,' 'port scan,' 'fingerprint,' 'asset discovery,' or needs to map a target's external footprint.
iblai-security-prompt-injection
Audit applications for AI prompt injection, agent security, and LLM permission boundary vulnerabilities. Use when the user mentions 'prompt injection,' 'LLM security,' 'AI security,' 'jailbreak,' 'indirect prompt injection,' 'prompt leaking,' 'AI red team,' 'LLM vulnerabilities,' 'AI input validation,' 'system prompt extraction,' 'agent security,' 'MCP security,' 'AI permissions,' 'AI privilege escalation,' or needs to secure any application with AI features, AI agents, or LLM integrations.
iblai-security-osint-recon
Gather and correlate open source intelligence from public sources for authorized investigations, threat intelligence, and attack surface assessment. Use when the user mentions 'OSINT,' 'open source intelligence,' 'digital footprint,' 'public records,' 'threat intelligence,' 'investigate a domain,' or needs to research a target using publicly available data.
iblai-security-incident-triage
Guide rapid triage and initial response to security incidents following NIST SP 800-61 methodology. Use when the user mentions 'incident response,' 'security incident,' 'triage,' 'we've been hacked,' 'breach,' 'compromised,' 'malware detected,' 'suspicious activity,' 'IOC,' 'indicators of compromise,' or needs help handling a security event.
iblai-security-disk-forensics
Analyze disk images and file systems for digital evidence recovery in forensic investigations and CTF challenges. Use when the user mentions 'disk forensics,' 'forensic analysis,' 'disk image,' 'file carving,' 'deleted files,' 'evidence recovery,' 'autopsy,' 'sleuthkit,' or needs to examine a forensic image.
iblai-security-dependency-audit
Audit project dependencies, frameworks, languages, and dev tools for known vulnerabilities, CVEs, and security anti-patterns. Use when the user mentions 'dependency audit,' 'npm audit,' 'CVE,' 'vulnerable packages,' 'supply chain security,' 'outdated dependencies,' 'known vulnerabilities,' 'security advisory,' 'package security,' 'framework vulnerability,' 'is this package safe,' or needs to check whether their stack has known security issues.
iblai-security-cloud-audit
Audit cloud infrastructure (AWS, GCP, Azure) for misconfigurations, excessive permissions, and security gaps. Use when the user mentions 'cloud security,' 'cloud audit,' 'AWS security,' 'GCP security,' 'Azure security,' 'IAM audit,' 'S3 bucket,' 'cloud misconfiguration,' 'cloud hardening,' or needs to review cloud infrastructure security.
iblai-readme
Write or refresh the README.md
iblai-rbac
Use when building, auditing, or extending ibl.ai role-based access control — default roles seeded by the platform, the action-definitions endpoint, and the SDK components (Admin, RolesTab, PoliciesTab) that render the Roles + Policies management UI. For agent-scoped sharing (editor / chat roles on a single mentor) see /iblai-agent-access; for mounting the host Account modal see /iblai-account.
iblai-project
Add the in-process Projects surface (project landing page — chat input + project files + instructions + assigned agents) to a Next.js app
iblai-profile
Add profile dropdown and settings page to your Next.js app