owasp-top-10
OWASP Top 10 security vulnerabilities with detection and remediation patterns. Use when conducting security audits, implementing secure coding practices, or reviewing code for common security vulnerabilities.
OWASP Top 10 security vulnerabilities with detection and remediation patterns. Use when conducting security audits, implementing secure coding practices, or reviewing code for common security vulnerabilities.
OWASP Top 10 Security Vulnerabilities
Expert guidance for identifying, preventing, and remediating the most critical web application security risks based on OWASP Top 10 2021.
When to Use This Skill
- Conducting security audits and code reviews
- Implementing secure coding practices in new features
- Reviewing authentication and authorization systems
- Assessing input validation and sanitization
- Evaluating third-party dependencies for vulnerabilities
- Designing security controls and defense-in-depth strategies
- Preparing for security certifications or compliance audits
- Investigating security incidents or suspicious behavior
OWASP Top 10 2021 Overview
Ranked by Risk Severity:
- A01 - Broken Access Control (↑ from #5)
- A02 - Cryptographic Failures (formerly Sensitive Data Exposure)
- A03 - Injection (↓ from #1)
- A04 - Insecure Design (NEW)
- A05 - Security Misconfiguration
- A06 - Vulnerable and Outdated Components
- A07 - Identification and Authentication Failures
- A08 - Software and Data Integrity Failures (NEW)
- A09 - Security Logging and Monitoring Failures
- A10 - Server-Side Request Forgery (SSRF) (NEW)
Quick Reference
Load detailed guidance for each vulnerability:
| Vulnerability | Reference File |
|---|---|
| Broken Access Control | skills/owasp-top-10/references/broken-access-control.md |
| Cryptographic Failures | skills/owasp-top-10/references/cryptographic-failures.md |
| Injection | skills/owasp-top-10/references/injection.md |
| Insecure Design | skills/owasp-top-10/references/insecure-design.md |
| Security Misconfiguration | skills/owasp-top-10/references/security-misconfiguration.md |
| Vulnerable Components | skills/owasp-top-10/references/vulnerable-components.md |
| Authentication Failures | skills/owasp-top-10/references/authentication-failures.md |
| Integrity Failures | skills/owasp-top-10/references/integrity-failures.md |
| Logging & Monitoring | skills/owasp-top-10/references/logging-monitoring.md |
| SSRF | skills/owasp-top-10/references/ssrf.md |
| Prevention Strategies | skills/owasp-top-10/references/prevention-strategies.md |
Security Audit Workflow
- Identify Scope: Determine application components and attack surface
- Select Vulnerabilities: Choose relevant OWASP categories based on features
- Load Reference: Read appropriate reference file(s) for detailed patterns
- Analyze Code: Review code against vulnerable and secure patterns
- Document Findings: Record vulnerabilities with severity and remediation
- Verify Fixes: Test that remediations properly address issues
- Test Security: Run automated security testing (SAST, DAST, SCA)
Core Security Principles
Defense in Depth
- Layer security controls at network, application, data, and monitoring levels
- Ensure failure of one control doesn't compromise entire system
Secure by Default
- Deny all access by default, explicitly grant permissions
- Fail securely (errors don't expose sensitive information)
- Minimize attack surface (disable unused features)
- Apply least privilege to all accounts and services
Input Validation
- Validate type, length, format, and allowed values
- Use allow-lists over deny-lists
- Sanitize for specific context (SQL, HTML, shell, etc.)
- Never trust client input
Common Mistakes
- Trusting User Input: Always validate and sanitize all user-supplied data
- Rolling Your Own Crypto: Use established libraries (bcrypt, AES-256)
- Exposing Errors: Log detailed errors internally, show generic messages to users
- Missing Authorization: Check permissions on every request, not just UI
- Weak Session Management: Use secure, httpOnly, sameSite cookies with HTTPS
- Ignoring Dependencies: Regularly audit and update third-party libraries
- No Logging: Log security events for detection and incident response
- Default Configurations: Harden all systems, disable defaults
Security Testing Tools
SAST (Static): SonarQube, Semgrep, ESLint security plugins
DAST (Dynamic): OWASP ZAP, Burp Suite
SCA (Dependencies): npm audit, Snyk, Dependabot
Secrets Scanning: GitGuardian, TruffleHog
Penetration Testing: Metasploit, Kali Linux tools
Resources
- OWASP Top 10 2021: https://owasp.org/Top10/
- OWASP Cheat Sheets: https://cheatsheetseries.owasp.org/
- OWASP ASVS: Application Security Verification Standard
- CWE Top 25: Common Weakness Enumeration
- NIST Cybersecurity Framework: https://www.nist.gov/cyberframework
- CVE Database: https://cve.mitre.org/
- Snyk Vulnerability DB: https://snyk.io/vuln/
You Might Also Like
Related Skills
create-pr
Creates GitHub pull requests with properly formatted titles that pass the check-pr-title CI validation. Use when creating PRs, submitting changes for review, or when the user says /pr or asks to create a pull request.
n8n-io
electron-chromium-upgrade
Guide for performing Chromium version upgrades in the Electron project. Use when working on the roller/chromium/main branch to fix patch conflicts during `e sync --3`. Covers the patch application workflow, conflict resolution, analyzing upstream Chromium changes, and proper commit formatting for patch fixes.
electron
pr-creator
Use this skill when asked to create a pull request (PR). It ensures all PRs follow the repository's established templates and standards.
google-gemini
clawdhub
Use the ClawdHub CLI to search, install, update, and publish agent skills from clawdhub.com. Use when you need to fetch new skills on the fly, sync installed skills to latest or a specific version, or publish new/updated skill folders with the npm-installed clawdhub CLI.
moltbottmux
Remote-control tmux sessions for interactive CLIs by sending keystrokes and scraping pane output.
moltbot
create-pull-request
Create a GitHub pull request following project conventions. Use when the user asks to create a PR, submit changes for review, or open a pull request. Handles commit analysis, branch management, and PR creation using the gh CLI tool.
cline