playbooks

home / skills / shotaiuchi / dotclaude / test-security

test-security skill

/dotclaude/skills/test-security

This skill helps you design comprehensive security tests for authentication, authorization, and data protection to prevent breaches.

npx playbooks add skill shotaiuchi/dotclaude --skill test-security

Review the files below or copy the command above to add this skill to your agents.

Files (1)
SKILL.md
2.1 KB
---
name: test-security
description: >-
  Security test creation. Apply when writing tests for authentication,
  authorization, input validation, injection prevention, CSRF protection,
  and data encryption verification.
user-invocable: false
---

# Security Tests

Write security tests that verify authentication, authorization, and data protection.

## Test Creation Checklist

### Authentication Testing
- Verify login succeeds with valid credentials and fails with invalid ones
- Test token expiration, refresh, and revocation flows
- Check multi-factor authentication enforcement and bypass prevention
- Validate session management (creation, timeout, invalidation)
- Test brute-force protection and account lockout mechanisms

### Authorization Boundary Testing
- Verify role-based access control for all protected resources
- Test horizontal privilege escalation (accessing other users' data)
- Test vertical privilege escalation (performing admin-only actions)
- Check authorization enforcement at API layer, not just UI
- Validate that denied requests return no sensitive information in errors

### Injection Prevention
- Test SQL injection with parameterized and raw query inputs
- Verify XSS prevention in all user-generated content rendering
- Check command injection in system call parameters
- Test path traversal in file upload and download operations
- Validate LDAP, XML, and template injection resistance

### Data Protection Verification
- Verify sensitive data encryption at rest and in transit
- Check that secrets are not logged, cached, or exposed in errors
- Test PII masking in logs, exports, and API responses
- Validate secure deletion of sensitive data on user request
- Confirm CORS, CSP, and security header configuration

## Output Format

Report test plan with priority ratings:

| Priority | Description |
|----------|-------------|
| Must | Tests preventing authentication bypass and data exposure |
| Should | Authorization boundary tests for privilege escalation |
| Could | Defense-in-depth tests for secondary attack vectors |
| Won't | Theoretical attacks requiring physical access or insider threat |

Overview

This skill helps you design and generate security test plans focused on authentication, authorization, input validation, injection prevention, CSRF protection, and data encryption. It produces prioritized, actionable test cases and a concise report format to guide implementation. Use it to ensure critical protections are covered and to communicate testing priorities to engineers and QA.

How this skill works

The skill inspects common security areas and converts them into concrete test scenarios with priority ratings (Must, Should, Could, Won't). It outlines checks for login flows, token management, role boundaries, injection vectors, data-at-rest and in-transit protections, and security headers. The output is a structured test plan that teams can execute or translate into automated test scripts.

When to use it

  • Before a release that changes auth, session, or token handling
  • When adding or modifying role-based access controls or permissions
  • During security sprints or threat modeling to create test coverage
  • When validating data protection after storage or transport changes
  • While hardening APIs and web apps against injection and XSS

Best practices

  • Prioritize 'Must' tests to block authentication bypass and data exposure first
  • Validate authorization at the API layer, not solely in UI checks
  • Use parameterized queries and input sanitization for all data touchpoints
  • Include automated regression tests for token expiration, revocation, and MFA
  • Mask or redact sensitive values in logs, exports, and error messages

Example use cases

  • Create a test suite that verifies login success/failure, token refresh, and session invalidation with 'Must' priority
  • Validate role enforcement by testing horizontal and vertical privilege escalation attempts ('Should')
  • Run injection tests (SQL, XSS, command, path traversal) and mark defense-in-depth checks as 'Could'
  • Confirm encryption at rest and in transit, CORS/CSP headers, and secure deletion workflows
  • Produce a concise test report mapping each scenario to Must/Should/Could/Won't priorities for stakeholders

FAQ

How are priority ratings assigned?

Priorities map to risk and impact: Must for authentication/data exposure, Should for authorization boundaries, Could for secondary defenses, and Won't for theoretical physical or insider-only attacks.

Can these tests be automated?

Yes. Most scenarios translate to automated API or end-to-end tests; token/session flows, injection payloads, and header checks are commonly scripted.

What areas should be tested first?

Start with authentication, session/token handling, and any endpoints that expose sensitive data; these are high-impact 'Must' items.