Dynamic Application Security Testing execution and management. Configure and execute OWASP ZAP and Nuclei scans, run authenticated scanning, manage scan policies and scope, correlate findings with SAST results, and generate comprehensive vulnerability reports.
Executes dynamic security scans using OWASP ZAP and Nuclei to detect web application vulnerabilities.
npx claudepluginhub a5c-ai/babysitterThis skill is limited to using the following tools:
README.mdYou are dast-scanner - a specialized skill for Dynamic Application Security Testing (DAST) execution and management. This skill provides comprehensive capabilities for runtime vulnerability detection in web applications and APIs.
This skill enables AI-powered DAST including:
Comprehensive web application security testing:
# Start ZAP daemon
docker run -u zap -p 8080:8080 -i ghcr.io/zaproxy/zaproxy:stable zap.sh -daemon \
-host 0.0.0.0 -port 8080 -config api.disablekey=true
# Quick baseline scan
docker run -t ghcr.io/zaproxy/zaproxy:stable zap-baseline.py \
-t https://target.example.com \
-J report.json
# Full active scan
docker run -t ghcr.io/zaproxy/zaproxy:stable zap-full-scan.py \
-t https://target.example.com \
-J full-report.json
# API scan with OpenAPI
docker run -v $(pwd):/zap/wrk:rw -t ghcr.io/zaproxy/zaproxy:stable zap-api-scan.py \
-t openapi.yaml \
-f openapi \
-J api-report.json
# Custom scan with ZAP CLI
zap-cli quick-scan https://target.example.com
zap-cli active-scan https://target.example.com
zap-cli report -o report.html -f html
<!-- High-intensity scan policy -->
<scanPolicy>
<name>high-intensity</name>
<description>Comprehensive security scan</description>
<attackStrength>INSANE</attackStrength>
<alertThreshold>LOW</alertThreshold>
<scanners>
<scanner id="40012" enabled="true" attackStrength="HIGH"/> <!-- XSS -->
<scanner id="40018" enabled="true" attackStrength="INSANE"/> <!-- SQLi -->
<scanner id="90019" enabled="true" attackStrength="HIGH"/> <!-- SSI -->
<scanner id="90020" enabled="true" attackStrength="INSANE"/> <!-- RCE -->
</scanners>
</scanPolicy>
Fast template-based vulnerability detection:
# Update templates
nuclei -update-templates
# Basic scan
nuclei -target https://target.example.com -json -output nuclei-results.json
# Scan with specific templates
nuclei -target https://target.example.com \
-templates cves/ \
-templates vulnerabilities/ \
-json -output nuclei-results.json
# Scan with severity filter
nuclei -target https://target.example.com \
-severity critical,high \
-json -output nuclei-critical.json
# Scan multiple targets
nuclei -list targets.txt \
-severity critical,high,medium \
-json -output nuclei-results.json
# Scan with tags
nuclei -target https://target.example.com \
-tags owasp,cve,xss,sqli \
-json -output nuclei-owasp.json
# Scan with rate limiting
nuclei -target https://target.example.com \
-rate-limit 50 \
-concurrency 10 \
-json -output nuclei-results.json
# Headless scanning for JS apps
nuclei -target https://target.example.com \
-headless \
-json -output nuclei-headless.json
| Category | Description | Templates |
|---|---|---|
cves/ | Known CVEs | 5000+ |
vulnerabilities/ | Generic vulnerabilities | 500+ |
exposures/ | Sensitive data exposure | 300+ |
misconfigurations/ | Security misconfigs | 400+ |
technologies/ | Technology detection | 200+ |
fuzzing/ | Fuzzing templates | 100+ |
# custom-templates/api-key-exposure.yaml
id: api-key-exposure
info:
name: API Key Exposure Check
author: security-team
severity: high
description: Checks for exposed API keys in responses
tags: api,exposure,secrets
http:
- method: GET
path:
- "{{BaseURL}}/api/config"
- "{{BaseURL}}/config.json"
- "{{BaseURL}}/.env"
matchers-condition: or
matchers:
- type: regex
regex:
- "api[_-]?key['\"]?\\s*[:=]\\s*['\"]?[a-zA-Z0-9]{20,}"
- "secret[_-]?key['\"]?\\s*[:=]\\s*['\"]?[a-zA-Z0-9]{20,}"
condition: or
extractors:
- type: regex
regex:
- "api[_-]?key['\"]?\\s*[:=]\\s*['\"]?([a-zA-Z0-9]{20,})"
group: 1
# Form-based authentication context
docker run -v $(pwd):/zap/wrk:rw -t ghcr.io/zaproxy/zaproxy:stable zap-full-scan.py \
-t https://target.example.com \
-n context.context \
-U authenticated-user \
-J auth-report.json
# OAuth/Bearer token authentication
docker run -t ghcr.io/zaproxy/zaproxy:stable zap-api-scan.py \
-t openapi.yaml \
-f openapi \
-z "-config replacer.full_list(0).description=auth \
-config replacer.full_list(0).enabled=true \
-config replacer.full_list(0).matchtype=REQ_HEADER \
-config replacer.full_list(0).matchstr=Authorization \
-config replacer.full_list(0).replacement='Bearer $TOKEN'" \
-J api-auth-report.json
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<context>
<name>MyAppContext</name>
<desc></desc>
<inscope>true</inscope>
<incregexes>https://target.example.com.*</incregexes>
<excregexes>.*logout.*</excregexes>
<tech>
<include>Db.PostgreSQL</include>
<include>Language.JavaScript</include>
<include>OS.Linux</include>
</tech>
<authentication>
<type>FormBasedAuthentication</type>
<loggedin>\Qlogout\E</loggedin>
<loggedout>\Qlogin\E</loggedout>
<form>
<loginurl>https://target.example.com/login</loginurl>
<loginbody>username={%username%}&password={%password%}</loginbody>
</form>
</authentication>
<users>
<user>
<name>testuser</name>
<credentials>username=testuser&password=testpass</credentials>
</user>
</users>
</context>
</configuration>
# Cookie-based authentication
nuclei -target https://target.example.com \
-header "Cookie: session=abc123" \
-json -output nuclei-auth.json
# Bearer token authentication
nuclei -target https://target.example.com \
-header "Authorization: Bearer $TOKEN" \
-json -output nuclei-auth.json
# Custom headers file
nuclei -target https://target.example.com \
-header-file headers.txt \
-json -output nuclei-auth.json
# ZAP API scan with OpenAPI
docker run -v $(pwd):/zap/wrk:rw -t ghcr.io/zaproxy/zaproxy:stable zap-api-scan.py \
-t https://api.example.com/openapi.json \
-f openapi \
-J api-report.json
# Nuclei API scanning
nuclei -target https://api.example.com \
-tags api \
-json -output api-nuclei.json
# ZAP GraphQL scan
docker run -v $(pwd):/zap/wrk:rw -t ghcr.io/zaproxy/zaproxy:stable zap-api-scan.py \
-t https://api.example.com/graphql \
-f graphql \
-J graphql-report.json
# Nuclei GraphQL templates
nuclei -target https://api.example.com/graphql \
-tags graphql \
-json -output graphql-nuclei.json
Correlate static and dynamic findings:
{
"correlation_report": {
"sast_findings": 45,
"dast_findings": 28,
"correlated": 12,
"sast_only": 33,
"dast_only": 16,
"correlations": [
{
"vulnerability_type": "SQL Injection",
"sast_finding": {
"file": "src/api/users.py",
"line": 42,
"rule": "python.lang.security.audit.dangerous-sql"
},
"dast_finding": {
"url": "https://api.example.com/users",
"parameter": "id",
"evidence": "SQL syntax error"
},
"confidence": "high",
"recommendation": "Priority fix - confirmed vulnerable endpoint"
}
]
}
}
# scan-scope.yaml
scope:
includes:
- "https://target.example.com/*"
- "https://api.target.example.com/*"
excludes:
- "*/logout"
- "*/signout"
- "*delete*"
- "*payment*"
- "*/static/*"
- "*/assets/*"
rate_limiting:
requests_per_second: 20
delay_between_requests_ms: 50
max_concurrent_connections: 10
authentication:
type: bearer
token_refresh_url: "https://auth.example.com/token"
token_header: "Authorization"
token_prefix: "Bearer "
scan_policy:
attack_strength: medium
alert_threshold: low
scanners:
enabled:
- sql-injection
- xss-reflected
- xss-stored
- command-injection
- path-traversal
disabled:
- format-string
This skill can leverage the following MCP servers:
| Server | Description | Installation |
|---|---|---|
| ZAP-MCP | AI-powered OWASP ZAP integration | GitHub |
| pentestMCP | 20+ tools including ZAP, Nuclei | GitHub |
| HexStrike AI | 150+ cybersecurity tools | GitHub |
| SecOpsAgentKit dast-zap | ZAP integration | GitHub |
| SecOpsAgentKit dast-nuclei | Nuclei integration | GitHub |
# GitHub Actions
name: DAST Scan
on:
schedule:
- cron: '0 2 * * *' # Nightly
workflow_dispatch:
jobs:
dast:
runs-on: ubuntu-latest
steps:
- name: ZAP Scan
uses: zaproxy/action-full-scan@v0.8.0
with:
target: ${{ secrets.STAGING_URL }}
allow_issue_writing: false
- name: Nuclei Scan
uses: projectdiscovery/nuclei-action@main
with:
target: ${{ secrets.STAGING_URL }}
flags: "-severity critical,high -json"
This skill integrates with the following processes:
dast-scanning.js - DAST pipeline integrationpenetration-testing.js - Pen testing workflowdevsecops-pipeline.js - DevSecOps automationvulnerability-management.js - Vulnerability lifecycleWhen executing operations, provide structured output:
{
"operation": "dast-scan",
"status": "completed",
"target": "https://target.example.com",
"tools_used": ["zap", "nuclei"],
"scan_duration_seconds": 2340,
"summary": {
"total_findings": 58,
"by_severity": {
"critical": 3,
"high": 12,
"medium": 25,
"low": 18
},
"by_tool": {
"zap": 42,
"nuclei": 16
},
"by_category": {
"injection": 8,
"xss": 12,
"misconfiguration": 15,
"information_disclosure": 10,
"authentication": 5,
"other": 8
}
},
"coverage": {
"urls_scanned": 245,
"endpoints_tested": 89,
"parameters_tested": 312
},
"top_findings": [
{
"severity": "critical",
"name": "SQL Injection",
"url": "https://target.example.com/api/users",
"parameter": "id",
"tool": "zap",
"cweid": "89",
"wascid": "19"
}
],
"artifacts": ["zap-report.json", "nuclei-results.json", "combined-dast.html"]
}
| Error | Cause | Resolution |
|---|---|---|
Connection timeout | Target unreachable | Check network/firewall |
Authentication failed | Invalid credentials | Verify auth config |
Rate limited | Too aggressive | Reduce scan speed |
Scan interrupted | Resource exhaustion | Increase resources |
Activates when the user asks about AI prompts, needs prompt templates, wants to search for prompts, or mentions prompts.chat. Use for discovering, retrieving, and improving prompts.
Search, retrieve, and install Agent Skills from the prompts.chat registry using MCP tools. Use when the user asks to find skills, browse skill catalogs, install a skill for Claude, or extend Claude's capabilities with reusable AI agent components.
This skill should be used when the user asks to "create a hook", "add a PreToolUse/PostToolUse/Stop hook", "validate tool use", "implement prompt-based hooks", "use ${CLAUDE_PLUGIN_ROOT}", "set up event-driven automation", "block dangerous commands", or mentions hook events (PreToolUse, PostToolUse, Stop, SubagentStop, SessionStart, SessionEnd, UserPromptSubmit, PreCompact, Notification). Provides comprehensive guidance for creating and implementing Claude Code plugin hooks with focus on advanced prompt-based hooks API.