npx claudepluginhub cwinvestments/memstack --plugin memstackThis skill uses the workspace's default tool permissions.
*Audit a web application against the OWASP Top 10 (2021) vulnerability categories with actionable findings and remediation.*
Audits web applications and REST APIs for OWASP Top 10 vulnerabilities including broken access control, authentication failures, and data protection. Use when reviewing code, auth/authz, APIs, or before deployment.
Scans codebases for OWASP Top 10 vulnerabilities via static analysis: secret exposure, injection flaws, auth/authz gaps, supply-chain risks, misconfigurations, logging failures. Use before deployments, PR merges, auth/payment changes.
Audits web applications and REST APIs for OWASP Top 10 vulnerabilities including broken access control, authentication failures, data protection, and configuration issues. Use when reviewing code, auth/authz, APIs, or before deployment.
Share bugs, ideas, or general feedback.
Audit a web application against the OWASP Top 10 (2021) vulnerability categories with actionable findings and remediation.
When this skill activates, output:
🛡️ OWASP Top 10 — Running Full Vulnerability Assessment...
Then execute the protocol below.
| Context | Status |
|---|---|
| User asks for OWASP/security audit | ACTIVE — full assessment |
| User asks for vulnerability check | ACTIVE — full assessment |
| Pre-launch security review | ACTIVE — full assessment |
| User asks about a specific OWASP category | ACTIVE — targeted check for that category |
| User is actively fixing a vulnerability | DORMANT — let them work |
This skill supports two modes. Default to deep scan unless the user specifies otherwise.
| Mode | Scope | When to use |
|---|---|---|
| Quick scan | A01 (auth), A05 (headers + config), A06 (deps) | Fast pre-deploy check, CI pipeline gate, or first-pass triage |
| Deep scan | All 10 categories | Pre-launch review, security audit, compliance check |
If the user says "quick OWASP", "quick security check", or "fast scan", run only A01 + A05 + A06 and output the scorecard with the other 7 categories marked as "⏭️ SKIPPED (quick mode)".
Run each of the 10 checks below (or A01 + A05 + A06 only in quick mode). For each, search the codebase for vulnerability patterns, classify findings, and record results for the final scorecard.
Finding format: Every finding MUST include a file path and line number in the format file:line. If a finding is project-wide (e.g., "no rate limiting anywhere"), reference the most relevant file where the fix would be applied. Vague findings like "missing HSTS" without pointing to the middleware or config file are not actionable.
Risk: Users acting beyond their intended permissions — accessing other users' data, elevating privileges, or bypassing access restrictions.
Detection:
Missing auth on routes:
Find all API route files, then check each for authentication patterns (getAuthContext, getSession, auth(), or equivalent).
Insecure Direct Object References (IDOR):
Search for routes that take an ID parameter (params.id, params.userId, params.orgId) and fetch data without verifying the authenticated user owns or has access to the referenced resource.
Privilege escalation:
Search for role checks (role.*admin, isAdmin, requireRole). Verify admin-only operations actually enforce role checks, not just rely on route naming.
CORS bypass:
Search for Access-Control-Allow-Origin headers. Flag wildcard (*) with credentials enabled.
Cross-reference: Run api-audit (Checks 1-2) for detailed route-by-route auth analysis.
Remediation:
Risk: Exposure of sensitive data due to weak or missing encryption.
Detection:
Weak hashing:
Search for md5, sha1, createHash('md5'), createHash('sha1') in source files.
MD5/SHA1 for passwords is CRITICAL. For checksums/cache keys it's acceptable (INFO).
Unencrypted sensitive data: Search for password assignment patterns. Verify passwords use bcrypt/argon2/scrypt, not plaintext or weak hashing.
No HTTPS enforcement:
Check next.config.js or middleware for HTTPS redirect, x-forwarded-proto checks, Strict-Transport-Security header.
Sensitive data in URLs:
Search for token=, password=, secret=, key= in URL/redirect/query string contexts.
Remediation:
Risk: Untrusted data sent to an interpreter as part of a command or query.
Detection:
SQL injection: Search for template literals with interpolated variables inside SQL query/execute calls. Search for string concatenation in SELECT/INSERT/UPDATE/DELETE statements.
Cross-Site Scripting (XSS):
Search for dangerouslySetInnerHTML, innerHTML, __html in React/JSX files. Search for v-html in Vue files.
Command injection:
Search for shell execution imports (child_process) and calls (execSync, spawn). Verify user input is never passed to shell commands. Use execFile with argument arrays instead.
Dynamic code execution:
Search for new Function( with dynamic strings, setTimeout/setInterval with string arguments instead of function references. These allow arbitrary code execution if user input reaches them.
Cross-reference: Run api-audit (Check 5) for detailed SQL injection analysis.
Remediation:
dangerouslySetInnerHTMLexecFile() with argument arraysRisk: Missing or ineffective security controls in the application's design.
Detection:
Missing rate limits:
Search for rateLimit, rateLimiter, @upstash/ratelimit in source files. Flag login, registration, password reset, and public API routes with no rate limiting.
No account lockout: Search for login/signIn/authenticate handlers. Check if they track failed attempts.
Predictable IDs:
Search for autoIncrement, SERIAL, AUTO_INCREMENT in SQL/migration files. Flag if sequential IDs are used for user-facing resources (IDOR enabler). UUIDs preferred.
Missing CSRF protection:
Search for csrf, csrfToken, x-csrf, SameSite cookie attributes. Check if state-changing operations verify origin.
Remediation:
Risk: Insecure default configs, debug mode in production, verbose error messages, missing security headers.
Detection:
Debug mode / development settings:
Search for debug.*true, DEBUG.*=.*1, NODE_ENV.*development in source files, config, and env files (exclude .example files).
Missing security headers:
Check next.config.js or middleware for these headers:
X-Content-Type-Options: nosniffX-Frame-Options: DENY or SAMEORIGINStrict-Transport-Security (HSTS)Content-Security-Policy (CSP)Referrer-PolicyPermissions-PolicyDefault credentials:
Search for admin:admin, root:root, password:password, default.*password in source and config files.
Verbose error responses:
Search for .stack or .message in response/return contexts. Verify stack traces are not sent to clients.
Remediation:
next.config.js headers or middlewareRisk: Using libraries with known security vulnerabilities.
Detection:
# npm audit for known CVEs
npm audit --json 2>/dev/null | head -100
# Check for outdated packages
npm outdated 2>/dev/null | head -30
Cross-reference CVE databases for key dependencies:
package.json and identify the framework (Next.js, React, Express, etc.) and its exact versionnpm audit, extract the CVE ID (e.g., GHSA-xxxx-xxxx-xxxx) and note:
Classify:
Report each finding with: package@version → file:line (where it's imported or configured, e.g., package.json:15), CVE ID, severity, fixed version.
Remediation:
npm audit fix for automatic patchingRisk: Weak authentication mechanisms allowing account compromise.
Detection:
Weak password policy: Search for password length/minimum constraints. Flag if minimum length < 8 or no complexity requirements.
Missing MFA/2FA:
Search for mfa, 2fa, two.factor, totp, authenticator in source files. Flag if no MFA implementation found for admin or sensitive operations.
Session management:
Search for maxAge, expires, session.*timeout, cookie.*options. Check session duration, secure/httpOnly flags, SameSite attribute.
Credential recovery: Search for password reset flow. Check if it uses time-limited, single-use tokens.
Remediation:
httpOnly: true, secure: true, sameSite: 'lax'Risk: Code and infrastructure that doesn't verify integrity of updates, data, or CI/CD pipelines.
Detection:
Unsigned JWTs:
Search for jwt, jsonwebtoken, jose imports. Verify JWTs use strong algorithms (RS256/ES256 preferred, HS256 acceptable). Flag algorithm: 'none' as CRITICAL.
Missing Content Security Policy: Check for CSP headers in config or middleware.
No Subresource Integrity on CDN scripts:
Search for <script src="http or <link href="http in HTML/JSX. External scripts loaded without integrity attribute are vulnerable to CDN compromise.
CI/CD pipeline security:
Check GitHub Actions for unpinned actions (uses: action@main or @master or @latest). Actions should reference specific commit SHAs, not branches.
Remediation:
integrity attributes to all CDN-loaded resourcesRisk: Insufficient logging prevents detection of breaches and forensic analysis.
Detection:
Audit logging implementation: Go beyond searching for service name strings — verify actual audit logging coverage:
a. Find the audit infrastructure: Search for audit_log, audit_logs, auditLog, logAction, logEvent, activity_log in source files AND migration/schema SQL files. Identify the audit table schema (columns, what gets logged).
b. Verify critical event coverage. For each of these events, search for audit log writes (INSERT into audit table, or audit helper function calls) in the relevant route handlers:
| Event | Where to check | Risk if missing |
|---|---|---|
| Login success/failure | auth/login, auth/verify-2fa | Can't detect brute force |
| Account creation | auth/register, auth/setup | Can't detect rogue accounts |
| Password change | account/password, auth/reset-password | Can't detect account takeover |
| Permission/role change | Admin routes, role update handlers | Can't detect privilege escalation |
| Data deletion | All DELETE handlers | Can't investigate data loss |
| Admin impersonation | Impersonation routes | Can't audit admin abuse |
| Payment events | Webhook handlers, checkout routes | Can't investigate fraud |
| Settings change | Org/account settings update routes | Can't track config drift |
c. Check what's logged: Verify audit entries include who (user ID), what (action), when (timestamp), where (IP address), and target (affected resource ID). Missing any of these fields reduces forensic value.
Flag as WARNING if audit table exists but critical events are not logged. Flag as CRITICAL if no audit logging infrastructure exists at all.
Error monitoring service: Search for actual SDK initialization, not just string mentions:
Sentry.init(, @sentry/nextjs, @sentry/node in package.jsonLogRocket.init(dd-trace, @datadog/browser-rumnewrelic in package.jsonconsole.error alone is insufficient for production — errors disappear when the container restarts.Sensitive data in logs:
Search for console.log combined with password, token, secret, or body. Flag logging of passwords, tokens, or full request bodies.
Remediation:
Risk: Application fetches URLs provided by users without validation, enabling access to internal services.
Detection:
Unvalidated URL fetching:
Search for fetch(, axios.get, axios.post, got(, request( calls. For each, check if the URL comes from user input (query params, request body, database).
User-controlled redirects:
Search for redirect, res.redirect, window.location assignments. Verify redirect URLs are validated against an allowlist.
Image/file proxy endpoints:
Search for imageUrl, fileUrl, proxyUrl, downloadUrl patterns. Endpoints that fetch external resources based on user input are SSRF vectors.
Remediation:
🛡️ OWASP Top 10 Scorecard
Project: <project-name>
Assessment date: <date>
Framework: <Next.js / Express / etc.>
| # | Category | Status | Findings | Risk |
|---|----------|--------|----------|------|
| A01 | Broken Access Control | 🔴 FAIL | 3 | Critical |
| A02 | Cryptographic Failures | ✅ PASS | 0 | — |
| A03 | Injection | ⚠️ PARTIAL | 1 | Warning |
| A04 | Insecure Design | ⚠️ PARTIAL | 2 | Warning |
| A05 | Security Misconfiguration | 🔴 FAIL | 4 | Critical |
| A06 | Vulnerable Components | ⚠️ PARTIAL | 5 | Warning |
| A07 | Auth Failures | ✅ PASS | 0 | — |
| A08 | Data Integrity Failures | ⚠️ PARTIAL | 1 | Warning |
| A09 | Logging Failures | 🔴 FAIL | 2 | Critical |
| A10 | SSRF | ✅ PASS | 0 | — |
Score: 4/10 categories passing
Critical issues: <count>
Warnings: <count>
## Priority Fixes
1. [CRITICAL] A01 — Add authentication to unprotected API routes
2. [CRITICAL] A05 — Add security headers (CSP, HSTS, X-Frame-Options)
3. [CRITICAL] A09 — Set up error monitoring (Sentry recommended)
4. [WARNING] A03 — Remove dangerouslySetInnerHTML in user content component
5. [WARNING] A04 — Add rate limiting to login endpoint
6. [WARNING] A06 — Run npm audit fix for vulnerable packages
## Detailed Findings
[For each finding, include ALL of these fields:]
- **Category:** A0X name
- **Location:** `file/path:line_number` (REQUIRED — never omit)
- **Description:** What the vulnerability is
- **Risk:** CRITICAL/WARNING/INFO with exploitability × impact classification
- **Fix:** Specific code change or configuration update
## Related Audits
- Run `api-audit` for detailed route-by-route security analysis
- Run `rls-checker` for Supabase database-level access control
- Run `secrets-scanner` for credential exposure check
- Run `dependency-audit` for deep package vulnerability analysis
After generating findings, assign each a priority using exploitability × impact:
| Low Impact | Medium Impact | High Impact | |
|---|---|---|---|
| Easy to exploit (no auth needed, public endpoint) | Medium | High | Critical |
| Moderate to exploit (requires auth, specific conditions) | Low | Medium | High |
| Hard to exploit (requires admin, chain of bugs) | Info | Low | Medium |
Examples:
Include the matrix classification in the Priority Fixes section of the scorecard: [CRITICAL/HIGH/MEDIUM/LOW] A0X — description (exploitability × impact).
| Status | Meaning |
|---|---|
| ✅ PASS | No findings, or only INFO-level observations |
| ⚠️ PARTIAL | WARNING-level findings but no critical vulnerabilities |
| 🔴 FAIL | One or more CRITICAL findings in this category |