- Home
- Skills
- Sergiodxa
- Agent Skills
- Owasp Security Check
owasp-security-check_skill
68
GitHub Stars
1
Bundled Files
2 months ago
Catalog Refreshed
4 months ago
First Indexed
Readme & install
Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.
Installation
Preview and clipboard use veilstrat where the catalogue uses aiagentskills.
npx veilstrat add skill sergiodxa/agent-skills --skill owasp-security-check- SKILL.md11.8 KB
Overview
This skill provides concise security audit guidelines for web applications and REST APIs based on OWASP Top 10 and common web security best practices. It organizes 20 practical rules across authentication, data protection, input/output safety, configuration, and API monitoring to guide code reviews and pre-production checks. Use it to prioritize fixes, produce clear findings, and recommend concrete remediations.
How this skill works
Identify the application type (web app, SPA, SSR, REST API) and scan rules by priority: CRITICAL, HIGH, then MEDIUM. For each finding record severity, category, file/line, impact, and a specific fix including code examples where appropriate. Focus on authentication/authorization, cryptography and secrets, input/output validation, security headers/configuration, and API/monitoring controls.
When to use it
- During a security-focused code review or pull request review
- Before production deployment or after a major feature release
- When auditing authentication, authorization, or session logic
- When evaluating REST API endpoints for mass assignment, rate limits, and input validation
- When checking configuration: headers, CORS, CSRF, and cookie flags
Best practices
- Start with CRITICAL issues (auth, crypto, injection) and remediate before others
- Report each issue with severity, exact location, impact, and a minimal reproducible fix
- Prefer secure defaults: parameterized queries, strong password policies, and least privilege
- Never log secrets or return sensitive fields in responses; log safe metadata instead
- Enforce security headers, strict cookie flags, and validated CORS origins
Example use cases
- Scan a new API endpoint for IDOR, mass assignment, and missing auth checks
- Audit file upload handlers for mime/type validation and path traversal protections
- Review deployment configs for exposed debug output, missing HSTS/CSP, or permissive CORS
- Assess authentication flows for weak passwords, missing MFA, and session cookie issues
- Check dependency lists for outdated packages and run automated vulnerability audits
FAQ
Fix CRITICAL issues immediately (injection, broken auth, secrets). Address HIGH issues next (CSRF, headers, session management). Treat MEDIUM/LOW based on exposure and attack surface.
What minimal information should a report include?
Severity, category/rule, file path and line, a short description of the issue, impact, and a concrete remediation with a code example if possible.