Skill

web-security-review

Reviews web applications against OWASP Top 10 (2021) risks including injection, broken access control, XSS, and SSRF. Use for auditing web apps, server-side code, or web frameworks.

React

Vue

npx claudepluginhub cmaenner/agent-security-playbook

Tool Access

This skill uses the workspace's default tool permissions.

Preview

Review web applications against all 10 OWASP Top 10 risks by following the full procedure in `plays/tier1-code-analysis/owasp-top10-web-review.md`.

SKILL.md

Similar Skills

owasp-top-ten-check

Audit application architecture and code against OWASP Top 10 vulnerabilities. Use when assessing application security posture and prioritizing fixes.

secure-development

owasp-security-review

Reviews code and architectures against OWASP Top 10:2025 web application security risks. Useful for vulnerability audits, codebase reviews, remediation guidance, and secure coding patterns.

11 files

ts-dev-kit

memstack-security-owasp-top10

323

Audits web app codebases against OWASP Top 10 (2021) vulnerabilities like broken access control, IDOR, insecure configs with file:line findings and remediation. Quick or deep scan modes.

memstack

Stats

Stars5

Forks2

Last CommitMar 7, 2026

Used By2 plugins

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

Web Security Review (OWASP Top 10)

Review web applications against all 10 OWASP Top 10 risks by following the full procedure in plays/tier1-code-analysis/owasp-top10-web-review.md.

Steps

Application Mapping — Identify framework/language, deployment model (monolith/microservices), trust boundaries (internet/internal/local), data sensitivity (PII, financial, health), and authentication mechanisms.

Assess Each OWASP Top 10 Risk:

A01 Broken Access Control — Missing authz checks, IDOR, privilege escalation, path traversal, CORS misconfigurations
A02 Cryptographic Failures — Weak algorithms, missing TLS, hardcoded keys, improper key management, cleartext storage
A03 Injection — SQLi, NoSQLi, OS command injection, LDAP injection, XSS, SSTI, XPath injection
A04 Insecure Design — Missing security requirements, business logic flaws, insecure workflows, threat modeling gaps
A05 Security Misconfiguration — Default configs, verbose errors, missing headers, unnecessary features, outdated components
A06 Vulnerable Components — Unpatched libraries, unsupported dependencies, lack of inventory, missing SBOM
A07 Identification & Auth Failures — Weak passwords, session issues, MFA gaps, credential stuffing, brute force
A08 Software & Data Integrity Failures — Insecure deserialization, unsigned updates, CI/CD attacks, dependency confusion
A09 Security Logging & Monitoring Failures — Missing audit logs, insufficient monitoring, no incident response capability
A10 Server-Side Request Forgery (SSRF) — Unvalidated URL parameters, internal service access, cloud metadata endpoints

Framework-Specific Analysis — Apply checks for detected framework (React, Angular, Vue, Express, Django, Flask, Rails, Spring, ASP.NET, Laravel).

Configuration Review — Examine web server configs (nginx, Apache), application configs, and deployment manifests for security settings.

Output

Application overview, risk matrix for all 10 categories with severity/status, detailed findings using templates/finding.md, positive controls observed, and prioritized remediation roadmap.

OWASP References

OWASP Top 10 for Web Applications (2021)

OWASP ASVS v5.0 — Application Security Verification Standard

OWASP Testing Guide (WSTG)

OWASP Cheat Sheet Series