playbooks

home / skills / nickcrew / claude-cortex / owasp-top-10

owasp-top-10 skill

/skills/owasp-top-10

This skill helps identify and remediate OWASP Top 10 vulnerabilities during security audits and secure coding reviews.

npx playbooks add skill nickcrew/claude-cortex --skill owasp-top-10

Review the files below or copy the command above to add this skill to your agents.

Files (13)
SKILL.md
5.0 KB
---
name: owasp-top-10
description: OWASP Top 10 security vulnerabilities with detection and remediation patterns. Use when conducting security audits, implementing secure coding practices, or reviewing code for common security vulnerabilities.
---

# OWASP Top 10 Security Vulnerabilities

Expert guidance for identifying, preventing, and remediating the most critical web application security risks based on OWASP Top 10 2021.

## When to Use This Skill

- Conducting security audits and code reviews
- Implementing secure coding practices in new features
- Reviewing authentication and authorization systems
- Assessing input validation and sanitization
- Evaluating third-party dependencies for vulnerabilities
- Designing security controls and defense-in-depth strategies
- Preparing for security certifications or compliance audits
- Investigating security incidents or suspicious behavior

## OWASP Top 10 2021 Overview

**Ranked by Risk Severity:**

1. **A01** - Broken Access Control (↑ from #5)
2. **A02** - Cryptographic Failures (formerly Sensitive Data Exposure)
3. **A03** - Injection (↓ from #1)
4. **A04** - Insecure Design (NEW)
5. **A05** - Security Misconfiguration
6. **A06** - Vulnerable and Outdated Components
7. **A07** - Identification and Authentication Failures
8. **A08** - Software and Data Integrity Failures (NEW)
9. **A09** - Security Logging and Monitoring Failures
10. **A10** - Server-Side Request Forgery (SSRF) (NEW)

## Quick Reference

Load detailed guidance for each vulnerability:

| Vulnerability | Reference File |
|---|---|
| **Broken Access Control** | `skills/owasp-top-10/references/broken-access-control.md` |
| **Cryptographic Failures** | `skills/owasp-top-10/references/cryptographic-failures.md` |
| **Injection** | `skills/owasp-top-10/references/injection.md` |
| **Insecure Design** | `skills/owasp-top-10/references/insecure-design.md` |
| **Security Misconfiguration** | `skills/owasp-top-10/references/security-misconfiguration.md` |
| **Vulnerable Components** | `skills/owasp-top-10/references/vulnerable-components.md` |
| **Authentication Failures** | `skills/owasp-top-10/references/authentication-failures.md` |
| **Integrity Failures** | `skills/owasp-top-10/references/integrity-failures.md` |
| **Logging & Monitoring** | `skills/owasp-top-10/references/logging-monitoring.md` |
| **SSRF** | `skills/owasp-top-10/references/ssrf.md` |
| **Prevention Strategies** | `skills/owasp-top-10/references/prevention-strategies.md` |
| **Assessment Workflow** | `skills/owasp-top-10/references/assessment-workflow.md` |

## Security Audit Workflow

1. **Identify Scope**: Determine application components and attack surface
2. **Select Vulnerabilities**: Choose relevant OWASP categories based on features
3. **Load Reference**: Read appropriate reference file(s) for detailed patterns
4. **Analyze Code**: Review code against vulnerable and secure patterns
5. **Document Findings**: Record vulnerabilities with severity and remediation
6. **Verify Fixes**: Test that remediations properly address issues
7. **Test Security**: Run automated security testing (SAST, DAST, SCA)

## Core Security Principles

### Defense in Depth
- Layer security controls at network, application, data, and monitoring levels
- Ensure failure of one control doesn't compromise entire system

### Secure by Default
- Deny all access by default, explicitly grant permissions
- Fail securely (errors don't expose sensitive information)
- Minimize attack surface (disable unused features)
- Apply least privilege to all accounts and services

### Input Validation
- Validate type, length, format, and allowed values
- Use allow-lists over deny-lists
- Sanitize for specific context (SQL, HTML, shell, etc.)
- Never trust client input

## Common Mistakes

1. **Trusting User Input**: Always validate and sanitize all user-supplied data
2. **Rolling Your Own Crypto**: Use established libraries (bcrypt, AES-256)
3. **Exposing Errors**: Log detailed errors internally, show generic messages to users
4. **Missing Authorization**: Check permissions on every request, not just UI
5. **Weak Session Management**: Use secure, httpOnly, sameSite cookies with HTTPS
6. **Ignoring Dependencies**: Regularly audit and update third-party libraries
7. **No Logging**: Log security events for detection and incident response
8. **Default Configurations**: Harden all systems, disable defaults

## Security Testing Tools

**SAST (Static)**: SonarQube, Semgrep, ESLint security plugins
**DAST (Dynamic)**: OWASP ZAP, Burp Suite
**SCA (Dependencies)**: npm audit, Snyk, Dependabot
**Secrets Scanning**: GitGuardian, TruffleHog
**Penetration Testing**: Metasploit, Kali Linux tools

## Resources

- **OWASP Top 10 2021**: https://owasp.org/Top10/
- **OWASP Cheat Sheets**: https://cheatsheetseries.owasp.org/
- **OWASP ASVS**: Application Security Verification Standard
- **CWE Top 25**: Common Weakness Enumeration
- **NIST Cybersecurity Framework**: https://www.nist.gov/cyberframework
- **CVE Database**: https://cve.mitre.org/
- **Snyk Vulnerability DB**: https://snyk.io/vuln/

Overview

This skill provides practical guidance on the OWASP Top 10 web application security risks, with detection patterns and concrete remediation steps. It’s designed for developers, security engineers, and auditors who need quick, actionable checks during code reviews and security assessments. The content maps each Top 10 category to prevention strategies, testing tools, and an audit workflow.

How this skill works

The skill loads concise references for each OWASP Top 10 category and explains common vulnerable patterns versus secure implementations. It recommends detection techniques (SAST, DAST, SCA, secrets scanning), specific controls to apply, and verification steps to confirm fixes. Use the included assessment workflow to scope audits, document findings, and validate remediations.

When to use it

  • Performing security audits or penetration testing
  • Conducting code reviews for new features or refactors
  • Designing authentication, authorization, or session management
  • Evaluating third-party dependencies and supply-chain risk
  • Preparing for compliance, certifications, or incident investigations

Best practices

  • Apply defense-in-depth: layer network, application, and data controls
  • Adopt secure-by-default configuration and least privilege principles
  • Validate input with allow-lists and context-aware sanitization
  • Use well-vetted crypto libraries; avoid custom cryptography
  • Keep dependencies updated and run SCA tools regularly
  • Log security events and ensure monitoring and alerting are in place

Example use cases

  • Audit an API for broken access control and recommend object-level authorization checks
  • Review password storage and migration to recommended algorithms (bcrypt, Argon2)
  • Scan a frontend build for injection and XSS patterns, then harden templates and CSP
  • Assess CI/CD pipeline for secrets exposure and add secrets scanning and rotation
  • Run dependency analysis to identify and remediate vulnerable components and transitive risks

FAQ

Does this skill include automated exploit code?

No. It provides detection patterns, remediation guidance, and recommended tools for safe testing and verification rather than exploit scripts.

Which testing tools are recommended?

Use SAST tools like Semgrep and SonarQube, DAST tools like OWASP ZAP or Burp Suite, SCA tools such as Snyk or Dependabot, and secrets scanners like GitGuardian.