Marketplace web-security-testing
Web application security testing workflow for OWASP Top 10 vulnerabilities including injection, XSS, authentication flaws, and access control issues.
install
source · Clone the upstream repo
git clone https://github.com/aiskillstore/marketplace
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/aiskillstore/marketplace "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/sickn33/web-security-testing" ~/.claude/skills/aiskillstore-marketplace-web-security-testing && rm -rf "$T"
manifest:
skills/sickn33/web-security-testing/SKILL.mdsource content
Web Security Testing Workflow
Overview
Specialized workflow for testing web applications against OWASP Top 10 vulnerabilities including injection attacks, XSS, broken authentication, and access control issues.
When to Use This Workflow
Use this workflow when:
- Testing web application security
- Performing OWASP Top 10 assessment
- Conducting penetration tests
- Validating security controls
- Bug bounty hunting
Workflow Phases
Phase 1: Reconnaissance
Skills to Invoke
- Security scanningscanning-tools
- OWASP knowledgetop-web-vulnerabilities
Actions
- Map application surface
- Identify technologies
- Discover endpoints
- Find subdomains
- Document findings
Copy-Paste Prompts
Use @scanning-tools to perform web application reconnaissance
Phase 2: Injection Testing
Skills to Invoke
- SQL injectionsql-injection-testing
- SQLMapsqlmap-database-pentesting
Actions
- Test SQL injection
- Test NoSQL injection
- Test command injection
- Test LDAP injection
- Document vulnerabilities
Copy-Paste Prompts
Use @sql-injection-testing to test for SQL injection
Use @sqlmap-database-pentesting to automate SQL injection testing
Phase 3: XSS Testing
Skills to Invoke
- XSS testingxss-html-injection
- HTML injectionhtml-injection-testing
Actions
- Test reflected XSS
- Test stored XSS
- Test DOM-based XSS
- Test XSS filters
- Document findings
Copy-Paste Prompts
Use @xss-html-injection to test for cross-site scripting
Phase 4: Authentication Testing
Skills to Invoke
- Authentication testingbroken-authentication
Actions
- Test credential stuffing
- Test brute force protection
- Test session management
- Test password policies
- Test MFA implementation
Copy-Paste Prompts
Use @broken-authentication to test authentication security
Phase 5: Access Control Testing
Skills to Invoke
- IDOR testingidor-testing
- Path traversalfile-path-traversal
Actions
- Test vertical privilege escalation
- Test horizontal privilege escalation
- Test IDOR vulnerabilities
- Test directory traversal
- Test unauthorized access
Copy-Paste Prompts
Use @idor-testing to test for insecure direct object references
Use @file-path-traversal to test for path traversal
Phase 6: Security Headers
Skills to Invoke
- Security headersapi-security-best-practices
Actions
- Check CSP implementation
- Verify HSTS configuration
- Test X-Frame-Options
- Check X-Content-Type-Options
- Verify referrer policy
Copy-Paste Prompts
Use @api-security-best-practices to audit security headers
Phase 7: Reporting
Skills to Invoke
- Security reportingreporting-standards
Actions
- Document vulnerabilities
- Assess risk levels
- Provide remediation
- Create proof of concept
- Generate report
Copy-Paste Prompts
Use @reporting-standards to create security report
OWASP Top 10 Checklist
- A01: Broken Access Control
- A02: Cryptographic Failures
- A03: Injection
- A04: Insecure Design
- A05: Security Misconfiguration
- A06: Vulnerable Components
- A07: Authentication Failures
- A08: Software/Data Integrity
- A09: Logging/Monitoring
- A10: SSRF
Quality Gates
- All OWASP Top 10 tested
- Vulnerabilities documented
- Proof of concepts captured
- Remediation provided
- Report generated
Related Workflow Bundles
- Security auditingsecurity-audit
- API securityapi-security-testing
- WordPress securitywordpress-security