owasp-top-10

仓库: nickcrew/claude-ctx-plugin
安装量: 292
排名: #3094

安装

npx skills add https://github.com/nickcrew/claude-ctx-plugin --skill owasp-top-10

OWASP Top 10 Security Vulnerabilities

Expert guidance for identifying, preventing, and remediating the most critical web application security risks based on OWASP Top 10 2021.

When to Use This Skill Conducting security audits and code reviews Implementing secure coding practices in new features Reviewing authentication and authorization systems Assessing input validation and sanitization Evaluating third-party dependencies for vulnerabilities Designing security controls and defense-in-depth strategies Preparing for security certifications or compliance audits Investigating security incidents or suspicious behavior OWASP Top 10 2021 Overview

Ranked by Risk Severity:

A01 - Broken Access Control (↑ from #5) A02 - Cryptographic Failures (formerly Sensitive Data Exposure) A03 - Injection (↓ from #1) A04 - Insecure Design (NEW) A05 - Security Misconfiguration A06 - Vulnerable and Outdated Components A07 - Identification and Authentication Failures A08 - Software and Data Integrity Failures (NEW) A09 - Security Logging and Monitoring Failures A10 - Server-Side Request Forgery (SSRF) (NEW) Quick Reference

Load detailed guidance for each vulnerability:

Vulnerability Reference File Broken Access Control skills/owasp-top-10/references/broken-access-control.md Cryptographic Failures skills/owasp-top-10/references/cryptographic-failures.md Injection skills/owasp-top-10/references/injection.md Insecure Design skills/owasp-top-10/references/insecure-design.md Security Misconfiguration skills/owasp-top-10/references/security-misconfiguration.md Vulnerable Components skills/owasp-top-10/references/vulnerable-components.md Authentication Failures skills/owasp-top-10/references/authentication-failures.md Integrity Failures skills/owasp-top-10/references/integrity-failures.md Logging & Monitoring skills/owasp-top-10/references/logging-monitoring.md SSRF skills/owasp-top-10/references/ssrf.md Prevention Strategies skills/owasp-top-10/references/prevention-strategies.md Security Audit Workflow Identify Scope: Determine application components and attack surface Select Vulnerabilities: Choose relevant OWASP categories based on features Load Reference: Read appropriate reference file(s) for detailed patterns Analyze Code: Review code against vulnerable and secure patterns Document Findings: Record vulnerabilities with severity and remediation Verify Fixes: Test that remediations properly address issues Test Security: Run automated security testing (SAST, DAST, SCA) Core Security Principles Defense in Depth Layer security controls at network, application, data, and monitoring levels Ensure failure of one control doesn't compromise entire system Secure by Default Deny all access by default, explicitly grant permissions Fail securely (errors don't expose sensitive information) Minimize attack surface (disable unused features) Apply least privilege to all accounts and services Input Validation Validate type, length, format, and allowed values Use allow-lists over deny-lists Sanitize for specific context (SQL, HTML, shell, etc.) Never trust client input Common Mistakes Trusting User Input: Always validate and sanitize all user-supplied data Rolling Your Own Crypto: Use established libraries (bcrypt, AES-256) Exposing Errors: Log detailed errors internally, show generic messages to users Missing Authorization: Check permissions on every request, not just UI Weak Session Management: Use secure, httpOnly, sameSite cookies with HTTPS Ignoring Dependencies: Regularly audit and update third-party libraries No Logging: Log security events for detection and incident response Default Configurations: Harden all systems, disable defaults Security Testing Tools

SAST (Static): SonarQube, Semgrep, ESLint security plugins DAST (Dynamic): OWASP ZAP, Burp Suite SCA (Dependencies): npm audit, Snyk, Dependabot Secrets Scanning: GitGuardian, TruffleHog Penetration Testing: Metasploit, Kali Linux tools

Resources OWASP Top 10 2021: https://owasp.org/Top10/ OWASP Cheat Sheets: https://cheatsheetseries.owasp.org/ OWASP ASVS: Application Security Verification Standard CWE Top 25: Common Weakness Enumeration NIST Cybersecurity Framework: https://www.nist.gov/cyberframework CVE Database: https://cve.mitre.org/ Snyk Vulnerability DB: https://snyk.io/vuln/

返回排行榜