web-app-security-audit
Use when auditing a PHP/JavaScript/HTML web application for security vulnerabilities. Covers configuration, authentication, authorization, input validation, XSS, API security, HTTP headers, and dependency scanning. Produces a severity-rated audit...
Best use case
web-app-security-audit is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Use when auditing a PHP/JavaScript/HTML web application for security vulnerabilities. Covers configuration, authentication, authorization, input validation, XSS, API security, HTTP headers, and dependency scanning. Produces a severity-rated audit...
Teams using web-app-security-audit should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/web-app-security-audit/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How web-app-security-audit Compares
| Feature / Agent | web-app-security-audit | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Use when auditing a PHP/JavaScript/HTML web application for security vulnerabilities. Covers configuration, authentication, authorization, input validation, XSS, API security, HTTP headers, and dependency scanning. Produces a severity-rated audit...
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Web Application Security Audit Acknowledgement: Shared by Peter Bamuhigire, techguypeter.com, +256 784 464178. <!-- dual-compat-start --> ## Use When - Use when auditing a PHP/JavaScript/HTML web application for security vulnerabilities. Covers configuration, authentication, authorization, input validation, XSS, API security, HTTP headers, and dependency scanning. Produces a severity-rated audit... - The task needs reusable judgment, domain constraints, or a proven workflow rather than ad hoc advice. ## Do Not Use When - The task is unrelated to `web-app-security-audit` or would be better handled by a more specific companion skill. - The request only needs a trivial answer and none of this skill's constraints or references materially help. ## Required Inputs - Project context, constraints, and concrete problem; load `references` only as needed. - Confirm desired deliverable: audit report, remediation plan, or targeted review. ## Workflow - Read this `SKILL.md`, then load only the referenced deep-dive files needed for the task. - Apply the ordered guidance and decision rules; do not cherry-pick snippets. - State assumptions, risks, and follow-ups when they matter. ## Quality Standards - Outputs are execution-oriented, concise, and aligned with repository engineering standards. - Preserve project conventions unless this skill requires a stronger standard. ## Anti-Patterns - Treating examples as copy-paste truth without checking fit and failure modes. - Loading every reference by default instead of progressive disclosure. ## Outputs - A concrete result fitting the task: audit report, remediation plan, or review findings. - Explicit assumptions, tradeoffs, or unresolved gaps when context is incomplete. - References, companion skills, or follow-ups when they materially improve execution. ## Evidence Produced | Category | Artifact | Format | Example | |----------|----------|--------|---------| | Security | Web application audit report | Markdown doc covering config, auth, input validation, and session handling findings | `docs/security/web-audit-2026-04-16.md` | | Security | Remediation plan | Markdown doc listing findings, owners, and due dates | `docs/security/web-remediation-2026-04-16.md` | ## References - Use the `references/` directory for deep detail after reading the core workflow below. <!-- dual-compat-end --> Systematic security audit for PHP/JavaScript/HTML web applications. Scans 8 security layers, produces a structured report with severity-rated findings and actionable fix recommendations that Codex can apply. **Core Principle:** Scan everything before fixing anything. Full picture first, then targeted remediation. **Scope:** Web application code only (PHP, JS, HTML, CSS). For Android security and database security, use dedicated skills. **Cross-references:** `php-security` (PHP patterns), `vibe-security-skill` (OWASP), `dual-auth-rbac` (auth), `api-error-handling` (API errors) **See references/ for:** `audit-checklist-detailed.md`, `security-headers-reference.md`, `report-template.md` ## When to Use - Before deploying a web application to production - After implementing major features or modules - Periodic security review (quarterly recommended) - After discovering a vulnerability in one area (audit all areas) - When onboarding a new project or inheriting a codebase ## Audit Workflow ### Phase 1: Discovery ``` 1. App structure: entry points (public/*.php, api/*.php), config (.env, config/, php.ini, .htaccess), routes, middleware. 2. Auth flows: login/logout/register, sessions (session_start, JWT), password handling. 3. Data flows: DB queries (PDO, mysqli), external APIs (curl), uploads, output points (echo, templates). ``` ### Phase 2: Scan (8 Layers) Use parallel subagents for independent layers. Each layer produces findings with severity. **Layer execution order:** - Parallel batch 1: Configuration, HTTP Headers, Dependencies (no code dependencies) - Parallel batch 2: Auth & Sessions, Authorization (auth-related) - Parallel batch 3: Input Validation, Output & XSS, API Security (data flow) ### Phase 3: Report Generate `docs/security-audit/YYYY-MM-DD-audit.md` using the report template. ## Severity Classification | Severity | Criteria | Example | |----------|----------|---------| | CRITICAL | Exploitable now, data breach risk | SQL injection, hardcoded credentials, no auth on admin | | HIGH | Exploitable with effort, significant impact | Missing session regeneration, weak password hashing | | MEDIUM | Requires specific conditions to exploit | Missing CSRF on non-critical form, verbose errors | | LOW | Minor security weakness, defense-in-depth | Missing security header, loose CORS | | INFO | Best practice recommendation | Missing SRI on CDN, could add rate limiting | ## Layer 1: Configuration Audit **Scan targets:** php.ini, .env, .htaccess, config files, deployment configs **Critical checks:** ``` Grep patterns: display_errors\s*=\s*(On|1|true) → CRITICAL: errors shown to users expose_php\s*=\s*(On|1|true) → MEDIUM: PHP version disclosed allow_url_include\s*=\s*(On|1|true) → CRITICAL: remote file inclusion File checks: .env in webroot → CRITICAL: secrets accessible .env in .gitignore → Check: must be ignored phpinfo() calls → HIGH: full config exposed Secret patterns: password\s*=\s*['"][^'"]+['"] → HIGH: hardcoded password (api_key|secret|token)\s*= → HIGH: check if in env or hardcoded DB_(PASSWORD|HOST|USER) → Verify: in .env, not in code ``` **Fix reference:** php-security > php.ini Security Hardening, Error Handling ## Layer 2: Authentication & Sessions **Scan targets:** Login/logout handlers, session configuration, password code **Critical checks:** ``` Session security: session.use_strict_mode → Must be 1 session.cookie_httponly → Must be 1 session.use_only_cookies → Must be 1 session_regenerate_id after login → CRITICAL if missing Password handling: password_hash with PASSWORD_ARGON2ID → Required password_verify usage → Required (not manual comparison) md5() or sha1() for passwords → CRITICAL: weak hashing Auth flow: Login rate limiting → HIGH if missing Account lockout mechanism → MEDIUM if missing Session timeout enforcement → HIGH if missing Complete session destruction on logout → MEDIUM if missing Cryptographic practices: openssl_encrypt/decrypt usage → MEDIUM: prefer Libsodium (sodium_*) Custom encryption (XOR, base64 "encryption") → CRITICAL: not encryption Hardcoded encryption keys in source → CRITICAL: use env/vault random_int/random_bytes for tokens → Required (not rand/mt_rand) ``` **Fix reference:** php-security > Session Security, Cryptographic Best Practices, dual-auth-rbac > Password Security ## Layer 3: Authorization & Access Control **Scan targets:** Middleware, route guards, database queries, API endpoints **Critical checks:** ``` IDOR (Insecure Direct Object Reference): Endpoints using $_GET['id'] without ownership check → CRITICAL Queries without WHERE franchise_id = ? → CRITICAL (multi-tenant) Sequential IDs exposed in URLs → MEDIUM RBAC: Permission checks on protected routes → HIGH if missing Super admin bypass properly implemented → Check Cross-tenant data access prevention → CRITICAL if missing Route protection: Admin routes without auth middleware → CRITICAL API endpoints without authentication → HIGH (if should be protected) File access without authorization → HIGH ``` **Fix reference:** vibe-security-skill > A01 Broken Access Control, dual-auth-rbac > RBAC ## Layer 4: Input Validation **Scan targets:** All form handlers, API endpoints, file upload handlers **Critical checks:** ``` Raw input usage: $_GET[ without filter_var/validation → HIGH $_POST[ without filter_var/validation → HIGH $_REQUEST[ usage → MEDIUM (ambiguous source) SQL injection: String concatenation in SQL queries → CRITICAL "SELECT.*\$_" pattern → CRITICAL "WHERE.*\$_" pattern → CRITICAL Non-parameterized queries → CRITICAL File uploads: No MIME type validation (finfo) → HIGH No file size limit → MEDIUM Files stored in webroot → HIGH Original filename used for storage → MEDIUM Type validation: Integer inputs not validated → MEDIUM Email inputs not validated → LOW Enum values not whitelisted → MEDIUM PHP-specific vulnerabilities: == instead of === (type juggling) → HIGH: "0e123"=="0e456" is true in_array() without strict 3rd param → MEDIUM: type coercion unserialize() on user/external data → CRITICAL: object injection/RCE eval() with any variable input → CRITICAL: code execution exec/system/shell_exec/passthru → CRITICAL: command injection preg_replace with /e modifier → CRITICAL: code execution (PHP <7) include/require with user-controlled path → CRITICAL: file inclusion missing declare(strict_types=1) → LOW: type safety gap ``` **Fix reference:** php-security > Input Validation, SQL Injection Prevention, File Upload Security, PHP-Specific Vulnerabilities ## Layer 5: Output Encoding & XSS **Scan targets:** All output points (echo, print, templates), JavaScript embedding **Critical checks:** ``` XSS vulnerabilities: echo $_GET or echo $_POST → CRITICAL echo $variable without htmlspecialchars → HIGH (if user-sourced) printf with %s from user input → HIGH Template encoding: Missing ENT_QUOTES in htmlspecialchars → MEDIUM Missing UTF-8 charset parameter → LOW Raw output in JavaScript context → HIGH Content Security Policy: No CSP header set → MEDIUM CSP with 'unsafe-inline' → MEDIUM CSP with 'unsafe-eval' → HIGH No script-src directive → MEDIUM ``` **Fix reference:** php-security > Output Encoding, XSS Prevention ## Layer 6: API Security **Scan targets:** REST API endpoints, AJAX handlers, form actions **Critical checks:** ``` CSRF protection: State-changing endpoints without CSRF token → HIGH CSRF token not validated server-side → CRITICAL Missing SameSite cookie attribute → MEDIUM Rate limiting: Login endpoint without rate limiting → HIGH API endpoints without throttling → MEDIUM Password reset without rate limiting → HIGH Error disclosure: Stack traces in API responses → HIGH Database error messages exposed → CRITICAL Internal file paths in errors → MEDIUM CORS: Access-Control-Allow-Origin: * → HIGH Credentials with wildcard origin → CRITICAL Missing CORS headers (if API) → INFO Webhook security: Webhook endpoints without signature verify → CRITICAL No idempotency handling → MEDIUM ``` **Fix reference:** php-security > CSRF Protection, api-error-handling, vibe-security-skill > A02 ## Layer 7: HTTP Security Headers **Scan targets:** Response headers on all major endpoints **Required headers checklist:** ``` Strict-Transport-Security: max-age=31536000; includeSubDomains → HIGH if missing Content-Security-Policy: [see CSP section] → MEDIUM if missing X-Content-Type-Options: nosniff → LOW if missing X-Frame-Options: DENY (or SAMEORIGIN) → MEDIUM if missing Referrer-Policy: strict-origin-when-cross-origin → LOW if missing Cache-Control: no-store (on sensitive pages) → MEDIUM if missing X-Powered-By: removed → LOW if present Server: version removed → LOW if present ``` **Fix reference:** See references/security-headers-reference.md ## Layer 8: Dependencies & Supply Chain **Scan targets:** composer.json, composer.lock, package.json, CDN scripts **Critical checks:** ``` PHP dependencies: composer audit output → Severity from advisory Outdated packages (major versions) → MEDIUM composer.lock committed → HIGH if missing JavaScript: npm audit / yarn audit output → Severity from advisory CDN scripts without SRI integrity attr → MEDIUM Inline scripts from external sources → HIGH General: .env.example with real values → HIGH Credentials in package configs → CRITICAL Lock files in .gitignore → HIGH (should be committed) ``` **Fix reference:** vibe-security-skill > A03 Supply Chain ## Executing the Audit ### Step 1: Launch Discovery Subagent ``` Agent: Explore the codebase to identify: - All PHP entry points (public/, api/, *.php in webroot) - Configuration files (.env, config/, php.ini, .htaccess) - Authentication code (login, session, JWT) - Database query patterns (PDO, mysqli) - Template/output files - API endpoint definitions - JavaScript files and CDN references Return a structured map of the application. ``` ### Step 2: Launch Parallel Scan Subagents ``` Batch 1 (independent): - Agent: Scan Layer 1 (Configuration) - Agent: Scan Layer 7 (HTTP Headers) - Agent: Scan Layer 8 (Dependencies) Batch 2 (auth-dependent): - Agent: Scan Layer 2 (Auth & Sessions) - Agent: Scan Layer 3 (Authorization) Batch 3 (data-flow): - Agent: Scan Layer 4 (Input Validation) - Agent: Scan Layer 5 (Output & XSS) - Agent: Scan Layer 6 (API Security) ``` ### Step 3: Generate Report Aggregate all findings into `docs/security-audit/YYYY-MM-DD-audit.md` using the report template. Sort by severity. ### Step 4: Fix Workflow 1. Present summary to user (counts by severity) 2. Work through CRITICAL findings first 3. For each finding: show location, explain risk, apply fix, verify 4. Move to HIGH, then MEDIUM, then LOW 5. Re-run affected layer checks after fixes 6. Update report with fix status ## Audit Subagent Prompt Template For each layer, use this prompt structure: ``` You are auditing a web application for security vulnerabilities. LAYER: [Layer Name] SCOPE: [Files/patterns to scan] For each finding, report: - Severity: CRITICAL|HIGH|MEDIUM|LOW|INFO - Location: file_path:line_number - Finding: What the vulnerability is - Impact: What an attacker could do - Fix: Specific code change needed - Reference: Which skill has the fix pattern Scan these patterns: [Layer-specific grep patterns] Return findings as a structured list sorted by severity. ``` ## Anti-Patterns - Scanning only one layer and declaring the app secure - Fixing issues before completing the full scan (lose context) - Rating everything as CRITICAL (desensitizes the team) - Ignoring INFO findings (they become vulnerabilities when combined) - Auditing only new code without reviewing existing patterns - Skipping the dependency audit (most common attack vector) ## Layer 9: Network-Layer Security (Audit View) The auditor is reviewing controls, not building them. Build/operate detail (UFW commands, iptables rate-limit, ModSecurity install, WireGuard setup, TLS lifecycle) lives in [references/network-security-layer.md](references/network-security-layer.md). Audit-focused detail with checklist and severities lives in [references/network-security-audit.md](references/network-security-audit.md). Stack assumption: Debian/Ubuntu VPS, self-host preferred (Nginx + ModSecurity or Coraza + OWASP CRS), Vault for secrets and PKI, optional managed WAF (Cloudflare, AWS WAF). Out of scope: service mesh, DDoS deep-dive beyond WAF rate-limit basics. ### §N1 Host firewall ``` Inbound default policy not DROP/deny → CRITICAL SSH exposed without rate-limit → HIGH Database/admin ports public (not VPN-only or lo) → CRITICAL No egress allow-list → MEDIUM (HIGH for regulated) Live rules drift from declared rules in source ctrl → HIGH ``` Tool choice: ufw for simple single-host, nftables for new deployments, iptables only on legacy. Egress allow-list: mirrors, DNS, NTP, egress proxy or API gateway, metrics. Deny everything else to contain lateral movement. ### §N2 Web Application Firewall ``` No WAF in blocking mode at edge or reverse proxy → HIGH CRS version not pinned, no upgrade cadence → MEDIUM Blanket disables of whole rule categories → HIGH (need compensating control) False-positive log not reviewed in last 30 days → MEDIUM No rate-limit on auth and password-reset endpoints → HIGH ``` Managed (AWS WAF, Cloudflare) vs self-hosted (ModSecurity or Coraza + OWASP CRS) matrix in the reference. CRS tuning: paranoia level 1 in detection-only, replay traffic, write targeted exclusions per URI/parameter (never blanket disables), promote to blocking once false positives are under threshold, re-tune each CRS release. Prefer Coraza for new self-hosted deployments; ModSecurity v3 still supported on existing Nginx. ### §N3 Zero-trust architecture (NIST SP 800-207) ``` Internal service-to-service traffic in plaintext → HIGH Long-lived service credentials in env files → HIGH Internal apps reachable on LAN with no identity check → CRITICAL "VPN means trusted" assumption documented anywhere → HIGH No device-posture signal in IdP → MEDIUM ``` Core idea (NIST SP 800-207, August 2020): no implicit trust based on physical or network location, or asset ownership; authn and authz are discrete functions performed before every session. Concrete controls: mTLS service-to-service, identity-aware proxies (Cloudflare Access, Pomerium, Tailscale serve), short-lived workload identities via SPIFFE/SPIRE, WireGuard for the management plane. Seven foundational tenets are in §2.1 of the PDF; quote directly when writing findings. ### §N4 VPN and remote access ``` Static long-lived WireGuard peer keys, no rotation → HIGH No mapping from peer key to human identity → HIGH Shared admin VPN key used by multiple operators → CRITICAL SSH password auth still permitted on bastion → HIGH Bastion without session recording → MEDIUM VPN audit log retention < 1 year (or contractual) → MEDIUM/HIGH ``` WireGuard is the recommended default. Key distribution is explicitly out of scope of WireGuard itself — solve via Vault PKI (short-lived peer keys) or Ansible (rotated `[Peer]` blocks). Every session must map to a human identity, via an identity-aware proxy or by correlating handshake events with the IdP in the SIEM. ### §N5 Auditor evidence checklist Verify, with evidence: default-deny inbound on every public host (rule export attached); egress filter present with allow-list in source control; WAF in blocking mode at edge OR ModSecurity/Coraza + CRS at reverse proxy with CRS pinned and upgrade cadence documented; WAF false-positive log reviewed in last 30 days; mTLS between any two services crossing a host boundary OR explicit accepted-risk record; all ops access via identity-aware proxy or session-logged bastion; WireGuard peer keys rotate at least quarterly OR are short-lived from PKI; VPN audit log retention at least one year (or contractual minimum). Full reference, severity rubric, and citations: `references/network-security-audit.md`. ## Quick Start When user invokes this skill: 1. Ask: "Which project directory should I audit?" 2. Run Discovery phase 3. Launch all 8 layer scans 4. Generate report 5. Ask: "Ready to start fixing? I'll begin with [N] CRITICAL findings."
Related Skills
vibe-security-skill
Use when designing or reviewing security for a web application, API, or multi-tenant SaaS — produces threat model, abuse case list, auth/authz matrix, and secret handling plan; covers OWASP Top 10 2025 and the AI-code-generation blind spots. Neighbours — api-design-first owns auth model fields, deployment-release-engineering owns secret rotation choreography, ai-security and llm-security own model-specific threats.
network-security
Use when designing, hardening, or auditing network-layer security for self-managed Debian/Ubuntu SaaS infrastructure — firewalls (nftables/UFW), WAF (ModSecurity + OWASP CRS), VPN (WireGuard, OpenVPN, IPsec), TLS/PKI ops, IDS/IPS (Suricata, Fail2ban), zero-trust, SSH hardening, DDoS mitigation, DNS security. Complements web-app-security-audit (app layer) and cicd-devsecops (secrets/CI).
linux-security-hardening
Use when hardening a Debian/Ubuntu server — user/group/sudo hardening, file permission audits, PAM password policy + MFA, AppArmor mandatory access control, auditd system call logging, kernel sysctl hardening, file integrity monitoring (AIDE), rootkit detection (rkhunter/chkrootkit), unattended security patching, GRUB + UEFI + LUKS boot security, and CIS benchmark compliance.
skill-safety-audit
Scan new or updated skills for unsafe or malicious instructions (unknown tools, external installers, credential harvesting) before accepting them into the repository.
implementation-status-auditor
Conduct a comprehensive implementation status audit of any software project. Produces structured documentation in docs/implementation/review-{date}/ with gap analysis, schema audit, integration status, completion blueprint, and prioritized action...
ios-security-and-rbac
iOS security and authorization orchestration for Keychain, Secure Enclave, privacy, tamper resistance, permissions, RBAC, and tenant-safe mobile access.
design-audit
Comprehensive UI/UX quality audit covering visual hierarchy, accessibility, consistency, AI slop detection, typography, colour, layout, interaction states, responsive behaviour, performance, and microcopy. Produces severity-rated findings with actionable remediation.
ai-security
Use when securing an AI/LLM-powered feature against prompt injection, cross-tenant data leakage and tenant isolation failures, jailbreaks, and adversarial inputs. Covers PII scrubbing before model calls, output validation, rate limiting, audit logging, and DPPA/GDPR compliance for AI data flows.
ai-agent-approval-audit-completeness
Use when proving that every irreversible agent action in the audit window had a documented, signed approval — completeness check (gap-detection job), approval-evidence cross-link to the hash-chained action audit log, and evidence pack for SOC 2 Processing Integrity (PI1.1). Pairs with `ai-agent-action-approval-and-hitl` (mechanism) and `ai-agent-audit-log-integrity` (storage).
dpia-generator
Generate a Data Protection Impact Assessment (DPIA), Uganda DPPA 2019-compliant. Use when producing or reviewing a data protection impact assessment, a privacy impact assessment, when uganda-dppa-compliance flags [DPIA-REQUIRED], or when processing large-scale or sensitive personal data for a new feature.
code-safety-scanner
Scan any codebase for 14 critical safety issues across security vulnerabilities, server stability (500 errors), and payment misconfigurations. Use when auditing code before deployment, reviewing AI-generated code for production readiness, or...
world-class-engineering
Use when designing, building, reviewing, or upgrading production software systems that must be secure, performant, maintainable, scalable, and user-centered. Apply before writing specs, code, architecture, APIs, databases, mobile apps, SaaS platforms, or ERP systems.