home / skills / a5c-ai / babysitter / owasp-security-scanner
This skill helps automate OWASP Top 10 vulnerability detection, running ZAP scans and generating OWASP-compliant reports to secure web applications.
npx playbooks add skill a5c-ai/babysitter --skill owasp-security-scannerReview the files below or copy the command above to add this skill to your agents.
---
name: owasp-security-scanner
description: Automated OWASP Top 10 vulnerability detection and assessment. Run OWASP ZAP automated scans, detect injection vulnerabilities, identify broken authentication patterns, check for sensitive data exposure, analyze security misconfigurations, and generate OWASP-compliant reports.
allowed-tools: Bash(*) Read Write Edit Glob Grep WebFetch
metadata:
author: babysitter-sdk
version: "1.0.0"
category: security-testing
backlog-id: SK-SEC-001
---
# owasp-security-scanner
You are **owasp-security-scanner** - a specialized skill for automated OWASP Top 10 vulnerability detection and assessment. This skill provides comprehensive capabilities for identifying web application security vulnerabilities based on OWASP guidelines.
## Overview
This skill enables AI-powered OWASP security scanning including:
- OWASP ZAP automated and manual scanning
- OWASP Top 10 2021 vulnerability detection
- Injection vulnerability testing (SQL, XSS, LDAP, Command)
- Broken authentication and session management analysis
- Sensitive data exposure detection
- Security misconfiguration identification
- OWASP-compliant report generation
## Prerequisites
- OWASP ZAP installed (GUI or headless)
- Target application URL (web application)
- Optional: Authentication credentials for authenticated scanning
- Optional: OpenAPI/Swagger specification for API scanning
## Capabilities
### 1. OWASP ZAP Baseline Scan
Quick passive scan for common vulnerabilities:
```bash
# Docker-based baseline scan
docker run -t ghcr.io/zaproxy/zaproxy:stable zap-baseline.py \
-t https://target.example.com \
-J baseline-report.json
# With configuration file
docker run -v $(pwd):/zap/wrk:rw -t ghcr.io/zaproxy/zaproxy:stable zap-baseline.py \
-t https://target.example.com \
-c zap-baseline.conf \
-J baseline-report.json
# Include AJAX spider for JavaScript-heavy apps
docker run -t ghcr.io/zaproxy/zaproxy:stable zap-baseline.py \
-t https://target.example.com \
-j \
-J baseline-report.json
```
### 2. OWASP ZAP Full Scan
Comprehensive active scanning:
```bash
# Full scan (includes active scanning)
docker run -t ghcr.io/zaproxy/zaproxy:stable zap-full-scan.py \
-t https://target.example.com \
-J full-scan-report.json
# Full scan with longer timeout
docker run -t ghcr.io/zaproxy/zaproxy:stable zap-full-scan.py \
-t https://target.example.com \
-m 60 \
-J full-scan-report.json
# Scan with custom policy
docker run -v $(pwd):/zap/wrk:rw -t ghcr.io/zaproxy/zaproxy:stable zap-full-scan.py \
-t https://target.example.com \
-z "-config scanner.strength=INSANE" \
-J full-scan-report.json
```
### 3. OWASP ZAP API Scan
For REST/GraphQL API testing:
```bash
# Scan with OpenAPI spec
docker run -v $(pwd):/zap/wrk:rw -t ghcr.io/zaproxy/zaproxy:stable zap-api-scan.py \
-t openapi.yaml \
-f openapi \
-J api-scan-report.json
# Scan with GraphQL schema
docker run -v $(pwd):/zap/wrk:rw -t ghcr.io/zaproxy/zaproxy:stable zap-api-scan.py \
-t https://api.example.com/graphql \
-f graphql \
-J graphql-scan-report.json
# API scan with auth header
docker run -t ghcr.io/zaproxy/zaproxy:stable zap-api-scan.py \
-t https://api.example.com/openapi.json \
-f openapi \
-z "-config replacer.full_list(0).description=auth \
-config replacer.full_list(0).enabled=true \
-config replacer.full_list(0).matchtype=REQ_HEADER \
-config replacer.full_list(0).matchstr=Authorization \
-config replacer.full_list(0).replacement='Bearer TOKEN'" \
-J api-scan-report.json
```
### 4. Authenticated Scanning
```bash
# Form-based authentication
docker run -t ghcr.io/zaproxy/zaproxy:stable zap-full-scan.py \
-t https://target.example.com \
-z "-config authentication.method=formBasedAuthentication \
-config authentication.loginUrl=https://target.example.com/login \
-config authentication.username=testuser \
-config authentication.password=testpass" \
-J auth-scan-report.json
# Session token authentication
# Create context file first
docker run -v $(pwd):/zap/wrk:rw -t ghcr.io/zaproxy/zaproxy:stable zap-full-scan.py \
-t https://target.example.com \
-n context.context \
-J auth-scan-report.json
```
### 5. OWASP Top 10 2021 Detection
#### A01:2021 - Broken Access Control
```bash
# ZAP rules for access control testing
# Active scan policy focusing on access control
zap-cli active-scan \
--scanpolicyname "access-control" \
--recurse \
https://target.example.com
# Manual testing for IDOR
# Test parameter manipulation
curl -H "Authorization: Bearer $TOKEN" \
"https://api.example.com/users/123" # Should only access own user
curl -H "Authorization: Bearer $TOKEN" \
"https://api.example.com/users/456" # Test IDOR
```
#### A02:2021 - Cryptographic Failures
```bash
# SSL/TLS analysis with testssl.sh
docker run -it drwetter/testssl.sh https://target.example.com
# Check for weak ciphers
nmap --script ssl-enum-ciphers -p 443 target.example.com
# ZAP passive rules detect:
# - Missing HSTS
# - Weak SSL/TLS
# - Mixed content
# - Insecure cookies
```
#### A03:2021 - Injection
```bash
# ZAP includes comprehensive injection testing:
# - SQL Injection
# - XSS (Reflected, Stored, DOM-based)
# - LDAP Injection
# - OS Command Injection
# - XML Injection
# SQLMap for advanced SQL injection
sqlmap -u "https://target.example.com/search?q=test" --batch --forms
```
#### A04:2021 - Insecure Design
Design-level security review checklist:
- Threat modeling completed
- Security requirements documented
- Secure design patterns used
- Defense in depth implemented
#### A05:2021 - Security Misconfiguration
```bash
# ZAP detects:
# - Default credentials
# - Unnecessary features enabled
# - Error handling exposing info
# - Missing security headers
# Additional header checks
curl -I https://target.example.com | grep -i "x-frame-options\|content-security-policy\|x-content-type-options"
```
#### A06:2021 - Vulnerable Components
```bash
# Retire.js for JavaScript libraries
retire --js --path ./public/js --outputformat json
# ZAP includes vulnerable library detection
# Also use dependency-scanner skill for comprehensive SCA
```
#### A07:2021 - Authentication Failures
ZAP authentication testing includes:
- Brute force protection
- Session management
- Password policies
- Multi-factor authentication bypass
#### A08:2021 - Software and Data Integrity Failures
Checks for:
- CI/CD pipeline security
- Unsigned updates
- Deserialization vulnerabilities
#### A09:2021 - Security Logging Failures
Review:
- Audit logging implementation
- Log injection vulnerabilities
- Log storage security
#### A10:2021 - Server-Side Request Forgery
```bash
# ZAP SSRF detection through active scanning
# Manual testing
curl "https://target.example.com/fetch?url=http://169.254.169.254/latest/meta-data/"
```
### 6. Report Generation
#### JSON Report
```json
{
"@version": "2.14.0",
"@generated": "2026-01-24T10:00:00Z",
"site": [{
"@name": "https://target.example.com",
"alerts": [{
"pluginid": "10021",
"alertRef": "10021",
"alert": "X-Content-Type-Options Header Missing",
"name": "X-Content-Type-Options Header Missing",
"riskcode": "1",
"confidence": "2",
"riskdesc": "Low (Medium)",
"cweid": "693",
"wascid": "15",
"description": "The Anti-MIME-Sniffing header...",
"solution": "Ensure that the application sets the Content-Type header appropriately...",
"reference": "https://owasp.org/...",
"instances": [{
"uri": "https://target.example.com/",
"method": "GET",
"param": "X-Content-Type-Options"
}]
}]
}]
}
```
#### HTML Report
```bash
# Generate HTML report
docker run -v $(pwd):/zap/wrk:rw -t ghcr.io/zaproxy/zaproxy:stable zap-baseline.py \
-t https://target.example.com \
-r owasp-report.html
```
## MCP Server Integration
This skill can leverage the following MCP servers:
| Server | Description | Installation |
|--------|-------------|--------------|
| ZAP-MCP | AI-powered OWASP ZAP integration | [GitHub](https://github.com/ajtazer/ZAP-MCP) |
| mcp-zap-server | Spring Boot ZAP MCP server | [GitHub](https://github.com/dtkmn/mcp-zap-server) |
| pentestMCP | 20+ tools including ZAP | [GitHub](https://github.com/ramkansal/pentestMCP) |
### ZAP-MCP Features
- Automated scan initiation
- Result parsing and analysis
- AI-powered vulnerability assessment
- Remediation guidance generation
## Best Practices
### Scanning Strategy
1. **Baseline First** - Start with passive baseline scan
2. **Scope Definition** - Define clear target scope
3. **Authentication** - Configure proper auth for full coverage
4. **Rate Limiting** - Respect target rate limits
5. **Exclude Sensitive** - Exclude logout, delete, payment endpoints
### Scan Configuration
```yaml
# zap-baseline.conf
# Format: rule_id action parameter
10021 WARN # X-Content-Type-Options
10038 WARN # CSP Header Missing
10098 WARN # Cross-Domain Misconfiguration
40012 FAIL # Cross Site Scripting (Reflected)
40014 FAIL # Cross Site Scripting (Persistent)
40018 FAIL # SQL Injection
```
### CI/CD Integration
```yaml
# GitHub Actions example
name: OWASP Security Scan
on: [push, pull_request]
jobs:
zap-scan:
runs-on: ubuntu-latest
steps:
- name: ZAP Baseline Scan
uses: zaproxy/[email protected]
with:
target: 'https://staging.example.com'
rules_file_name: '.zap-rules.tsv'
- name: Upload Report
uses: actions/upload-artifact@v3
with:
name: zap-report
path: report_html.html
```
## Process Integration
This skill integrates with the following processes:
- `dast-scanning.js` - Dynamic security testing pipeline
- `penetration-testing.js` - Comprehensive pen testing
- `security-assessment.js` - Security assessment workflow
- `devsecops-pipeline.js` - DevSecOps automation
## Output Format
When executing operations, provide structured output:
```json
{
"operation": "owasp-scan",
"scan_type": "full",
"status": "completed",
"target": "https://target.example.com",
"scan_duration_seconds": 1845,
"summary": {
"total_alerts": 45,
"by_risk": {
"high": 3,
"medium": 12,
"low": 18,
"informational": 12
},
"owasp_coverage": {
"A01_Broken_Access_Control": 2,
"A02_Cryptographic_Failures": 1,
"A03_Injection": 5,
"A05_Security_Misconfiguration": 8,
"A06_Vulnerable_Components": 3,
"A07_Auth_Failures": 2
}
},
"high_priority_findings": [
{
"name": "SQL Injection",
"risk": "high",
"owasp": "A03:2021",
"cwe": "CWE-89",
"url": "https://target.example.com/search",
"parameter": "query",
"evidence": "Error message: SQL syntax error"
}
],
"artifacts": ["full-scan-report.json", "owasp-report.html"]
}
```
## Error Handling
### Common Issues
| Error | Cause | Resolution |
|-------|-------|------------|
| `Connection refused` | Target not reachable | Verify target URL and network |
| `Authentication failed` | Invalid credentials | Check auth configuration |
| `Scan timeout` | Large application | Increase timeout or scope |
| `Rate limited` | Too aggressive | Adjust scan speed settings |
## Constraints
- Always obtain proper authorization before scanning
- Never scan production systems without approval
- Configure appropriate scan speeds for target infrastructure
- Exclude destructive actions (logout, delete) from scope
- Respect rate limits and server capacity
- Document all findings with remediation guidance
This skill automates OWASP Top 10 vulnerability detection and assessment using OWASP ZAP and related tooling. It runs baseline, full and API scans, identifies injection, authentication, misconfiguration and sensitive-data issues, and produces OWASP-compliant JSON/HTML reports. Use it to integrate DAST into CI/CD, pen testing pipelines, or security assessments.
The skill drives OWASP ZAP (CLI, Docker or MCP server endpoints) to perform passive baseline scans, active/full scans and API/OpenAPI scans. It parses ZAP results, maps alerts to OWASP Top 10 categories, highlights high-priority findings, and generates structured JSON and HTML reports with remediation guidance. Optional authenticated scanning and custom policies allow deeper coverage for protected areas.
Do I need ZAP installed to use the skill?
Yes — the skill orchestrates OWASP ZAP (Docker image, headless CLI or MCP server) to perform scans.
Can I scan authenticated areas?
Yes — provide form-based or token authentication configuration or a context file to enable authenticated scanning.
Is it safe to run against production?
Only run with explicit authorization; avoid production unless approved and exclude destructive endpoints and sensitive operations.