Skill

OWASP Top 10 Web Application Security Risks

Install

npx claudepluginhub frank-luongt/faos-skills-marketplace --plugin faos-security-engineer

Tool Access

This skill uses the workspace's default tool permissions.

SKILL.md

Similar Skills

agent-introspection-debugging

Implements structured self-debugging workflow for AI agent failures: capture errors, diagnose patterns like loops or context overflow, apply contained recoveries, and generate introspection reports.

ecc

148.7k

agent-harness-construction

Designs and optimizes AI agent action spaces, tool definitions, observation formats, error recovery, and context for higher task completion rates.

ecc

148.7k

agent-eval

Compares coding agents like Claude Code and Aider on custom YAML-defined codebase tasks using git worktrees, measuring pass rate, cost, time, and consistency.

ecc

148.7k

Stats

Parent Repo Stars1

Parent Repo Forks0

Last CommitMar 14, 2026

Actions

View Source View Plugin View on GitHub View README

name: owasp-top10 description: OWASP Top 10 (2021) web application security risks with prevention controls, detection techniques, and remediation guidance tags: [owasp, security]

OWASP Top 10 Web Application Security Risks

Overview

The OWASP Top 10 (2021 edition) is the most widely referenced standard for web application security awareness. It represents a broad consensus on the most critical security risks facing web applications, ranked by prevalence, exploitability, and impact. Security agents use this skill to identify, classify, and remediate web application vulnerabilities across the full development lifecycle.

Each category aggregates related CWEs (Common Weakness Enumerations) and provides actionable prevention guidance. The 2021 edition introduced three new categories (Insecure Design, Software and Data Integrity Failures, SSRF) and restructured several existing ones from the 2017 edition.

When to Use This Skill

Performing security code reviews on web applications
Triaging vulnerability scan results from DAST/SAST tools
Designing security controls for new application features
Writing security requirements or acceptance criteria for stories
Assessing third-party applications or APIs for security posture
Training developers on secure coding practices
Building security test cases for CI/CD pipelines

How It Works

Step 1: Identify the Risk Category

Map the observed vulnerability or concern to one of the 10 categories:

Rank	Category	Key CWEs
A01	Broken Access Control	CWE-200, CWE-284, CWE-285, CWE-352
A02	Cryptographic Failures	CWE-259, CWE-327, CWE-328, CWE-331
A03	Injection	CWE-79, CWE-89, CWE-78, CWE-94
A04	Insecure Design	CWE-209, CWE-256, CWE-501, CWE-522
A05	Security Misconfiguration	CWE-16, CWE-611, CWE-1004
A06	Vulnerable and Outdated Components	CWE-1104
A07	Identification and Authentication Failures	CWE-287, CWE-297, CWE-384
A08	Software and Data Integrity Failures	CWE-502, CWE-829
A09	Security Logging and Monitoring Failures	CWE-117, CWE-223, CWE-778
A10	Server-Side Request Forgery (SSRF)	CWE-918

Step 2: Assess the Vulnerability

For the identified category, determine:

Severity: What is the potential business impact (data breach, service disruption, compliance violation)?
Exploitability: How easy is it to exploit (unauthenticated, requires valid session, requires admin)?
Scope: How many endpoints, components, or users are affected?
Evidence: What specific code patterns, configurations, or behaviors indicate the vulnerability?

Step 3: Apply Prevention Controls

Each category has specific prevention strategies. Apply the controls relevant to your technology stack:

A01 - Broken Access Control:

Deny by default; explicitly grant permissions
Implement server-side access control checks on every request
Disable directory listing and remove metadata files from web roots
Rate-limit API and controller access to minimize automated attacks
Invalidate JWT tokens on the server after logout
Enforce record-level ownership checks (users can only access their own data)

A02 - Cryptographic Failures:

Classify data by sensitivity and apply controls per classification
Encrypt all data in transit (TLS 1.2+) and at rest (AES-256)
Do not use deprecated algorithms (MD5, SHA1, DES, RC4)
Use authenticated encryption (AES-GCM) instead of unauthenticated modes
Generate keys using cryptographically secure PRNGs
Store passwords with adaptive hashing (bcrypt, scrypt, Argon2id)

A03 - Injection:

Use parameterized queries or prepared statements for all database access
Use ORM frameworks with safe query-building methods
Validate and sanitize all user input on the server side
Escape output based on context (HTML, JS, URL, CSS, LDAP)
Deploy WAF rules as a defense-in-depth measure
Use LIMIT clauses in queries to prevent mass data disclosure

A04 - Insecure Design:

Use threat modeling during the design phase (STRIDE, PASTA)
Establish secure design patterns in a reference architecture
Write security-focused user stories and abuse cases
Implement rate limiting and resource quotas at the design level
Segregate tenant data architecturally, not just logically
Use plausibility checks and business logic validation

A05 - Security Misconfiguration:

Automate hardening with configuration management (Ansible, Terraform)
Remove unused features, components, frameworks, and documentation
Review and update configurations as part of the patch management process
Implement segmented application architecture with proper ACLs
Send security directives to clients (CSP, X-Content-Type-Options, HSTS)
Disable XML external entity processing in all XML parsers

A06 - Vulnerable and Outdated Components:

Maintain an inventory of all client-side and server-side components
Monitor CVE databases and security advisories continuously
Use Software Composition Analysis (SCA) in CI/CD pipelines
Pin dependency versions and audit lock files for unexpected changes
Obtain components only from official sources over secure links
Remove unused dependencies and orphaned components

A07 - Identification and Authentication Failures:

Implement multi-factor authentication (MFA) for all accounts
Enforce strong password policies (minimum 12 characters, no known breached passwords)
Use proven session management (server-generated, high-entropy session IDs)
Rate-limit and monitor login attempts; implement account lockout or CAPTCHA
Harden credential recovery flows against enumeration attacks
Use the same generic message for all authentication failure outcomes

A08 - Software and Data Integrity Failures:

Verify digital signatures on software updates and dependencies
Use tools like npm audit, pip-audit, or OWASP Dependency-Check in CI/CD
Do not deserialize untrusted data; if unavoidable, enforce strict type constraints
Implement code review processes for all changes to CI/CD pipelines
Ensure CI/CD pipelines have proper segregation, configuration, and access control
Use Subresource Integrity (SRI) for externally hosted scripts

A09 - Security Logging and Monitoring Failures:

Log all authentication events, access control failures, and input validation failures
Ensure logs include sufficient context (who, what, when, where, outcome)
Use structured logging (JSON) for machine-parseable log ingestion
Centralize logs in a SIEM with tamper-evident storage
Establish alerting thresholds and escalation procedures
Test incident detection with regular tabletop exercises

A10 - Server-Side Request Forgery (SSRF):

Validate and sanitize all client-supplied URLs
Enforce allowlists for permitted destination hosts, ports, and protocols
Do not send raw responses from backend requests to clients
Disable HTTP redirects in server-side HTTP clients
Deploy network-level segmentation (deny outbound to internal ranges by default)
Use metadata endpoint protection (e.g., IMDSv2 on AWS)

Step 4: Test with Tools

Use appropriate security testing tools to validate:

SAST: Semgrep, SonarQube, Bandit (Python), ESLint security plugins
DAST: OWASP ZAP, Burp Suite, Nuclei
SCA: Snyk, Dependabot, Trivy, OWASP Dependency-Check
IAM Testing: AuthMatrix (Burp extension), manual role-based testing
SSRF Testing: SSRFmap, manual curl-based probes against metadata endpoints

Step 5: Verify Remediation

After applying fixes, confirm the vulnerability is resolved:

Re-run the original test or scan that identified the issue
Verify the fix does not introduce regressions in other areas
Update the security test suite with a regression test for the vulnerability
Document the remediation in the security issue tracker

Examples

Example 1: Detecting and Fixing SQL Injection (A03)

Vulnerable code (Python/FastAPI):

# VULNERABLE - string concatenation in SQL query
@router.get("/users")
async def get_users(search: str, db: AsyncSession = Depends(get_db)):
    query = f"SELECT * FROM users WHERE name LIKE '%{search}%'"
    result = await db.execute(text(query))
    return result.fetchall()

Fixed code using parameterized queries:

# SECURE - parameterized query prevents SQL injection
@router.get("/users")
async def get_users(search: str, db: AsyncSession = Depends(get_db)):
    query = text("SELECT * FROM users WHERE name LIKE :search")
    result = await db.execute(query, {"search": f"%{search}%"})
    return result.fetchall()

Even better, use SQLAlchemy ORM:

# SECURE - ORM with safe query building
@router.get("/users")
async def get_users(search: str, db: AsyncSession = Depends(get_db)):
    stmt = select(User).where(User.name.ilike(f"%{search}%")).limit(100)
    result = await db.execute(stmt)
    return result.scalars().all()

Example 2: Implementing Proper Access Control (A01)

Vulnerable code (no ownership check):

# VULNERABLE - any authenticated user can access any tenant's data
@router.get("/tenants/{tenant_id}/reports/{report_id}")
async def get_report(tenant_id: str, report_id: str, db: AsyncSession = Depends(get_db)):
    report = await db.get(Report, report_id)
    if not report:
        raise HTTPException(status_code=404)
    return report

Fixed code with RBAC and tenant isolation:

# SECURE - enforces tenant isolation and role-based access
@router.get("/tenants/{tenant_id}/reports/{report_id}")
async def get_report(
    tenant_id: str,
    report_id: str,
    current_user: User = Depends(get_current_user),
    db: AsyncSession = Depends(get_db),
):
    # Verify user belongs to the requested tenant
    if current_user.tenant_id != tenant_id:
        raise HTTPException(status_code=403, detail="Access denied")

    # Verify user has the required role
    if "reports:read" not in current_user.permissions:
        raise HTTPException(status_code=403, detail="Insufficient permissions")

    # Fetch with tenant scoping to prevent IDOR
    stmt = (
        select(Report)
        .where(Report.id == report_id, Report.tenant_id == tenant_id)
    )
    report = (await db.execute(stmt)).scalar_one_or_none()
    if not report:
        raise HTTPException(status_code=404)
    return report

Example 3: Secure Logging Configuration (A09)

import logging
import json
from datetime import datetime, timezone


class SecurityAuditFormatter(logging.Formatter):
    """Structured JSON formatter for security-relevant events."""

    def format(self, record: logging.LogRecord) -> str:
        log_entry = {
            "timestamp": datetime.now(timezone.utc).isoformat(),
            "level": record.levelname,
            "logger": record.name,
            "message": record.getMessage(),
            "module": record.module,
            "function": record.funcName,
        }
        # Add security context if present
        for field in ("user_id", "tenant_id", "action", "resource", "outcome", "ip_address"):
            if hasattr(record, field):
                log_entry[field] = getattr(record, field)
        return json.dumps(log_entry)


# Configure security audit logger
security_logger = logging.getLogger("security.audit")
security_logger.setLevel(logging.INFO)

handler = logging.StreamHandler()
handler.setFormatter(SecurityAuditFormatter())
security_logger.addHandler(handler)


# Usage in authentication flow
def log_auth_event(user_id: str, tenant_id: str, action: str, outcome: str, ip: str):
    security_logger.info(
        "Authentication event",
        extra={
            "user_id": user_id,
            "tenant_id": tenant_id,
            "action": action,
            "outcome": outcome,
            "ip_address": ip,
        },
    )


# Example calls
log_auth_event("usr_123", "tnt_456", "login", "success", "203.0.113.42")
log_auth_event("usr_789", "tnt_456", "login", "failure_invalid_password", "198.51.100.7")

Best Practices

Do This

Apply defense in depth: combine input validation, parameterized queries, and WAF rules
Treat all client input as untrusted, including headers, cookies, and URL parameters
Use security linters and SAST tools in pre-commit hooks and CI pipelines
Conduct threat modeling for every new feature during the design phase
Keep dependencies updated and monitor for new CVEs continuously
Log security events with structured context and centralize in a SIEM
Test access control for every role and permission combination
Use allowlists over denylists for input validation and URL filtering

Don't Do This

Do not rely solely on client-side validation for security controls
Do not store secrets, API keys, or credentials in source code or client-side storage
Do not use custom cryptographic implementations; use vetted libraries
Do not disable security headers (CSP, HSTS, X-Frame-Options) for convenience
Do not log sensitive data (passwords, tokens, PII) in application logs
Do not trust deserialized data from untrusted sources without strict validation
Do not expose detailed error messages or stack traces to end users
Do not assume internal APIs are safe from SSRF; enforce network segmentation

Security Checklist

A01 - Broken Access Control:

Server-side access control enforced on every endpoint
Record-level ownership checks prevent IDOR vulnerabilities
CORS policy restricts allowed origins to trusted domains
Directory listing disabled; sensitive files excluded from web root

A02 - Cryptographic Failures:

All data in transit protected with TLS 1.2+
Sensitive data at rest encrypted with AES-256 or equivalent
Passwords hashed with Argon2id, bcrypt, or scrypt
No deprecated algorithms (MD5, SHA1, DES) in use

A03 - Injection:

All database queries use parameterized statements or ORM
Output encoding applied per context (HTML, JS, URL)
Input validation enforced on all server-side entry points

A04 - Insecure Design:

Threat model documented for critical application flows
Rate limiting applied to authentication and sensitive endpoints
Abuse cases and negative test scenarios included in test plans

A05 - Security Misconfiguration:

Default credentials removed or changed on all components
Unnecessary features and debug endpoints disabled in production
Security headers configured (CSP, HSTS, X-Content-Type-Options)

A06 - Vulnerable Components:

Software Composition Analysis (SCA) runs in CI/CD pipeline
Dependency update policy enforced (critical CVEs patched within 48 hours)
Component inventory maintained and reviewed quarterly

A07 - Authentication Failures:

Multi-factor authentication available and enforced for privileged accounts
Session tokens are high-entropy, server-generated, and expire appropriately
Account lockout or progressive delays mitigate brute-force attacks

A08 - Integrity Failures:

CI/CD pipeline changes require code review and approval
Dependencies verified with checksums or digital signatures
Deserialization of untrusted data is avoided or strictly constrained

A09 - Logging Failures:

All authentication, access control, and input validation failures are logged
Logs are structured (JSON), centralized, and tamper-evident
Alerting configured for high-severity security events

A10 - SSRF:

Server-side URL requests validate against an allowlist of permitted destinations
Cloud metadata endpoints protected (IMDSv2 or equivalent)
HTTP redirect following disabled in server-side HTTP clients

Related Skills

@api-security-patterns - API-specific security patterns including authentication, rate limiting, and input validation
@cwe-sans-top25 - CWE/SANS Top 25 most dangerous software weaknesses with deeper CWE mapping
@owasp-api-top10 - OWASP API Security Top 10 for API-specific vulnerabilities

Additional Resources

OWASP Top 10 (2021) - Official OWASP Top 10 project page
OWASP Cheat Sheet Series - Practical secure coding guidance
OWASP Testing Guide - Comprehensive security testing methodology
OWASP ASVS - Application Security Verification Standard
CWE/MITRE - Common Weakness Enumeration database
OWASP ZAP - Free DAST tool for finding web application vulnerabilities