OpenSkillIndex← back to search
claude-code

Agent-skills-standard common-dast-tooling

Standardize usage of Dynamic Application Security Testing (DAST) tools (ZAP, Nuclei, Nikto) and custom AI-driven curl probes for adversarial system testing. Use when advising on or running dynamic security scans on local/staging environments. (triggers: DAST, dynamic scan, zap, nuclei, nikto, curl probe, pentest, dynamic analysis)

install
source · Clone the upstream repo
git clone https://github.com/HoangNguyen0403/agent-skills-standard
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/HoangNguyen0403/agent-skills-standard "$T" && mkdir -p ~/.claude/skills && cp -r "$T/.github/skills/common/common-dast-tooling" ~/.claude/skills/hoangnguyen0403-agent-skills-standard-common-dast-tooling-d92472 && rm -rf "$T"
manifest: .github/skills/common/common-dast-tooling/SKILL.md
source content

DAST Tooling Standard

Priority: P1 (OPERATIONAL)

Always-Apply Rules

  • No Scanning Production: Never run DAST tools against live production environments. Use local or staging replicas only.
  • No Uncapped Scans: Always set 
    max-depth
    or 
    max-duration
    to avoid infinite loops on dynamic routes.
  • No Anonymous Probing: Use authenticated headers (
    Authorization
    ) to test protected surfaces, not just public ones.

1. Automated DAST Tools

Follow implementation guide for command-line setup.

  • Nuclei: Best for fast, template-based CVE/Misconfiguration scanning.
  • ZAP-CLI: Best for deep spidering and web vulnerability scanning (SQLi, XSS, etc.).
  • Nikto: Quick scan for insecure server configurations and outdated software.

2. Adversarial 
curl
Probing (Manual)

When tools are unavailable, use the AI to generate targeted 

curl
probes:

  • Bypassing Guards: Probe protected routes with manipulated headers (
    X-Forwarded-For
    , 
    X-Custom-Auth
    ).
  • Data Leakage: Request 
    /metrics
    , 
    /health
    , or 
    .git
    directories to find exposed metadata.
  • Parameter Tampering: Modify payload types (String -> Object) or inject large payloads to test limits.

Scoring Impact

FindingSeverityDeduction
Unauthenticated access to private dataP0-25
Successful SQLi/RCE via probeP0-20
Info Leakage (Server versions/Env vars)P1-10
Missing security headers (CSP/HSTS)P2-5

Anti-Patterns

  • No relying solely on static analysis: Pentesting MUST include dynamic execution feedback.
  • No ignoring non-web protocols: Check Docker ports, SSH banners, and internal gRPC/RMQ listeners.

References