iblai-security-owasp-audit

Audit application source code against the OWASP Top 10 vulnerability categories. Use when the user mentions 'OWASP,' 'security audit,' 'code security review,' 'vulnerability audit,' 'find vulnerabilities,' 'secure code review,' 'security review,' or wants to check their codebase for common security weaknesses.

12 stars

Best use case

iblai-security-owasp-audit is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Audit application source code against the OWASP Top 10 vulnerability categories. Use when the user mentions 'OWASP,' 'security audit,' 'code security review,' 'vulnerability audit,' 'find vulnerabilities,' 'secure code review,' 'security review,' or wants to check their codebase for common security weaknesses.

Teams using iblai-security-owasp-audit should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/iblai-security-owasp-audit/SKILL.md --create-dirs "https://raw.githubusercontent.com/iblai/vibe/main/skills/iblai-security-owasp-audit/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/iblai-security-owasp-audit/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How iblai-security-owasp-audit Compares

Feature / Agentiblai-security-owasp-auditStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

Audit application source code against the OWASP Top 10 vulnerability categories. Use when the user mentions 'OWASP,' 'security audit,' 'code security review,' 'vulnerability audit,' 'find vulnerabilities,' 'secure code review,' 'security review,' or wants to check their codebase for common security weaknesses.

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# /iblai-security-owasp-audit

Run a systematic source-code audit against the OWASP Top 10 (2021).
Ship concrete findings with file/line references and remediation.

Do NOT write exploits. Every finding ships with a fix.

## Step 0: Scope the Audit

1. Identify language, framework, and architecture.
2. Map entry points — routes, API handlers, form processors.
3. Trace data flows — user input -> processing -> storage -> output.
4. Locate authentication and authorization boundaries.

Multi-tenant B2B SaaS (the typical ibl.ai shape) makes A01 and permission-bypass paths the highest-leverage targets — sweep those first.

## Audit Checklist

Walk each category. Grep for known sinks, then read flagged files to confirm.

### A01: Broken Access Control

- Endpoints/routes missing authorization checks
- IDOR — user-controlled IDs without ownership verification
- Missing CSRF protections on state-changing requests
- Role checks enforced only on the frontend, not server-side
- Grep for: direct object references, missing auth middleware, user ID pulled from request params

### A02: Cryptographic Failures

- Hardcoded secrets, API keys, or passwords in source
- Weak hashing (MD5, SHA1 for passwords instead of bcrypt/argon2/scrypt)
- Sensitive data in logs, URLs, or localStorage
- Missing encryption at rest or in transit
- Grep for: `password`, `secret`, `api_key`, `private_key`, `MD5`, `SHA1`, `base64`

### A03: Injection

- **SQL injection:** raw queries with string concatenation, missing parameterized queries
- **NoSQL injection:** unsanitized user input in MongoDB/Convex queries
- **Command injection:** `exec()`, `spawn()`, `system()` with user input
- **XSS:** unescaped user input in HTML, `dangerouslySetInnerHTML`, `v-html`
- **Template injection:** user input in template literals
- Grep for: `exec(`, `eval(`, `innerHTML`, `dangerouslySetInnerHTML`, `$where`, raw SQL strings

### A04: Insecure Design

- Authentication flows with logic flaws
- Missing rate limiting on sensitive endpoints (login, password reset, API)
- Business-logic constraints enforced only client-side

### A05: Security Misconfiguration

- Debug mode enabled in production configs
- Overly permissive CORS (`Access-Control-Allow-Origin: *`)
- Missing HTTP security headers (CSP, HSTS, X-Frame-Options, X-Content-Type-Options)
- Default credentials or configs shipped
- Verbose error messages leaking stack traces or internals

### A06: Vulnerable Components

- Run `npm audit` (Node), `pip audit` (Python), or equivalent
- Check lock files for known-vulnerable versions
- Flag dependencies with critical CVEs

### A07: Authentication Failures

- Weak password policies
- Session management issues (missing secure/httpOnly flags, no expiry, no rotation)
- Missing rate limiting on login (credential-stuffing risk)
- Broken password reset flows

### A08: Data Integrity Failures

- Unsafe deserialization of user input
- Missing integrity checks on CI/CD pipelines
- No lockfile integrity verification (SRI hashes)

### A09: Logging & Monitoring Failures

- Auth events not logged (login, failure, privilege changes)
- Sensitive data written to logs (passwords, tokens, PII)
- No alerting on suspicious patterns

### A10: SSRF

- User-controlled URLs passed to server-side HTTP requests
- Missing URL validation and allowlisting
- Grep for: `fetch(`, `axios(`, `http.get(`, `urllib`, `requests.get(` with user input

## Report Format

For each finding:

```markdown
#### [SEVERITY] A0X: [Title]
**File:** `path/to/file.ts:42`
**CWE:** CWE-XXX

**Description:** [What the vulnerability is and why it matters]

**Vulnerable Code:**
[code snippet]

**Remediation:**
[Fixed code snippet with explanation]
```

Wrap in an executive summary:

```markdown
# Security Audit Report
## Project: [name]
## Stack: [technologies]
## Date: [date]

### Summary
- Total findings: X
- Critical: X | High: X | Medium: X | Low: X | Info: X

### Findings
[Individual findings as above]

### Prioritized Remediation Plan
1. [Critical fixes — immediate]
2. [High fixes — this week]
3. [Medium/Low — scheduled]
```

## Boundaries

- Only audit code the user provides or points you to.
- Always include remediation — fixes, not exploits.
- Flag low-confidence findings as "Potential" rather than confirmed.
- If the codebase is too large for a full audit, prioritize auth, input handling, and data-access layers.
- Refuse requests to insert backdoors or weaken security controls.

## References

OWASP Top 10 (2021), OWASP Code Review Guide, CWE Top 25

Related Skills

iblai-workflow

12
from iblai/vibe

Add workflow builder components to your Next.js app

iblai-security-recon

12
from iblai/vibe

Perform structured reconnaissance and attack surface enumeration for authorized penetration tests, CTF challenges, and bug bounty programs. Use when the user mentions 'recon,' 'reconnaissance,' 'enumerate,' 'attack surface,' 'subdomain enumeration,' 'port scan,' 'fingerprint,' 'asset discovery,' or needs to map a target's external footprint.

iblai-security-prompt-injection

12
from iblai/vibe

Audit applications for AI prompt injection, agent security, and LLM permission boundary vulnerabilities. Use when the user mentions 'prompt injection,' 'LLM security,' 'AI security,' 'jailbreak,' 'indirect prompt injection,' 'prompt leaking,' 'AI red team,' 'LLM vulnerabilities,' 'AI input validation,' 'system prompt extraction,' 'agent security,' 'MCP security,' 'AI permissions,' 'AI privilege escalation,' or needs to secure any application with AI features, AI agents, or LLM integrations.

iblai-security-osint-recon

12
from iblai/vibe

Gather and correlate open source intelligence from public sources for authorized investigations, threat intelligence, and attack surface assessment. Use when the user mentions 'OSINT,' 'open source intelligence,' 'digital footprint,' 'public records,' 'threat intelligence,' 'investigate a domain,' or needs to research a target using publicly available data.

iblai-security-incident-triage

12
from iblai/vibe

Guide rapid triage and initial response to security incidents following NIST SP 800-61 methodology. Use when the user mentions 'incident response,' 'security incident,' 'triage,' 'we've been hacked,' 'breach,' 'compromised,' 'malware detected,' 'suspicious activity,' 'IOC,' 'indicators of compromise,' or needs help handling a security event.

iblai-security-disk-forensics

12
from iblai/vibe

Analyze disk images and file systems for digital evidence recovery in forensic investigations and CTF challenges. Use when the user mentions 'disk forensics,' 'forensic analysis,' 'disk image,' 'file carving,' 'deleted files,' 'evidence recovery,' 'autopsy,' 'sleuthkit,' or needs to examine a forensic image.

iblai-security-dependency-audit

12
from iblai/vibe

Audit project dependencies, frameworks, languages, and dev tools for known vulnerabilities, CVEs, and security anti-patterns. Use when the user mentions 'dependency audit,' 'npm audit,' 'CVE,' 'vulnerable packages,' 'supply chain security,' 'outdated dependencies,' 'known vulnerabilities,' 'security advisory,' 'package security,' 'framework vulnerability,' 'is this package safe,' or needs to check whether their stack has known security issues.

iblai-security-cloud-audit

12
from iblai/vibe

Audit cloud infrastructure (AWS, GCP, Azure) for misconfigurations, excessive permissions, and security gaps. Use when the user mentions 'cloud security,' 'cloud audit,' 'AWS security,' 'GCP security,' 'Azure security,' 'IAM audit,' 'S3 bucket,' 'cloud misconfiguration,' 'cloud hardening,' or needs to review cloud infrastructure security.

iblai-readme

12
from iblai/vibe

Write or refresh the README.md

iblai-rbac

12
from iblai/vibe

Use when building, auditing, or extending ibl.ai role-based access control — default roles seeded by the platform, the action-definitions endpoint, and the SDK components (Admin, RolesTab, PoliciesTab) that render the Roles + Policies management UI. For agent-scoped sharing (editor / chat roles on a single mentor) see /iblai-agent-access; for mounting the host Account modal see /iblai-account.

iblai-project

12
from iblai/vibe

Add the in-process Projects surface (project landing page — chat input + project files + instructions + assigned agents) to a Next.js app

iblai-profile

12
from iblai/vibe

Add profile dropdown and settings page to your Next.js app