Skill

owasp-top-10

Detects OWASP Top 10 2021 security vulnerabilities like broken access control and injection, with remediation patterns for audits and code reviews.

Python

Typescript

security

npx claudepluginhub nickcrew/claude-cortex

Tool Access

This skill uses the workspace's default tool permissions.

Preview

Expert guidance for identifying, preventing, and remediating the most critical web application security risks based on OWASP Top 10 2021.

Supporting Assets

references/assessment-workflow.mdreferences/authentication-failures.mdreferences/broken-access-control.mdreferences/cryptographic-failures.mdreferences/injection.mdreferences/insecure-design.mdreferences/integrity-failures.mdreferences/logging-monitoring.mdreferences/prevention-strategies.mdreferences/security-misconfiguration.mdreferences/ssrf.mdreferences/vulnerable-components.md

SKILL.md

Similar Skills

memstack-security-owasp-top10

307

Audits web app codebases against OWASP Top 10 (2021) vulnerabilities like broken access control, IDOR, insecure configs with file:line findings and remediation. Quick or deep scan modes.

memstack

security-review

Reviews project code against OWASP Top 10 vulnerabilities: broken access control, injections (SQL, XSS, CSRF), cryptographic failures, insecure design, misconfigurations, and authentication issues.

alfred-dev

security-patterns

Provides OWASP Top 10 guidelines, secure Python/Flask coding patterns, prevention strategies, and remediation for access control and cryptographic vulnerabilities.

autonomous-agent

Stats

Stars15

Forks6

Last CommitApr 23, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

OWASP Top 10 Security Vulnerabilities

Expert guidance for identifying, preventing, and remediating the most critical web application security risks based on OWASP Top 10 2021.

When to Use This Skill

Conducting security audits and code reviews
Implementing secure coding practices in new features
Reviewing authentication and authorization systems
Assessing input validation and sanitization
Evaluating third-party dependencies for vulnerabilities
Designing security controls and defense-in-depth strategies
Preparing for security certifications or compliance audits
Investigating security incidents or suspicious behavior

OWASP Top 10 2021 Overview

Ranked by Risk Severity:

A01 - Broken Access Control (↑ from #5)
A02 - Cryptographic Failures (formerly Sensitive Data Exposure)
A03 - Injection (↓ from #1)
A04 - Insecure Design (NEW)
A05 - Security Misconfiguration
A06 - Vulnerable and Outdated Components
A07 - Identification and Authentication Failures
A08 - Software and Data Integrity Failures (NEW)
A09 - Security Logging and Monitoring Failures
A10 - Server-Side Request Forgery (SSRF) (NEW)

Quick Reference

Load detailed guidance for each vulnerability:

Vulnerability	Reference File
Broken Access Control	`skills/owasp-top-10/references/broken-access-control.md`
Cryptographic Failures	`skills/owasp-top-10/references/cryptographic-failures.md`
Injection	`skills/owasp-top-10/references/injection.md`
Insecure Design	`skills/owasp-top-10/references/insecure-design.md`
Security Misconfiguration	`skills/owasp-top-10/references/security-misconfiguration.md`
Vulnerable Components	`skills/owasp-top-10/references/vulnerable-components.md`
Authentication Failures	`skills/owasp-top-10/references/authentication-failures.md`
Integrity Failures	`skills/owasp-top-10/references/integrity-failures.md`
Logging & Monitoring	`skills/owasp-top-10/references/logging-monitoring.md`
SSRF	`skills/owasp-top-10/references/ssrf.md`
Prevention Strategies	`skills/owasp-top-10/references/prevention-strategies.md`
Assessment Workflow	`skills/owasp-top-10/references/assessment-workflow.md`

Security Audit Workflow

Identify Scope: Determine application components and attack surface
Select Vulnerabilities: Choose relevant OWASP categories based on features
Load Reference: Read appropriate reference file(s) for detailed patterns
Analyze Code: Review code against vulnerable and secure patterns
Document Findings: Record vulnerabilities with severity and remediation
Verify Fixes: Test that remediations properly address issues
Test Security: Run automated security testing (SAST, DAST, SCA)

Core Security Principles

Defense in Depth

Layer security controls at network, application, data, and monitoring levels
Ensure failure of one control doesn't compromise entire system

Secure by Default

Deny all access by default, explicitly grant permissions
Fail securely (errors don't expose sensitive information)
Minimize attack surface (disable unused features)
Apply least privilege to all accounts and services

Input Validation

Validate type, length, format, and allowed values
Use allow-lists over deny-lists
Sanitize for specific context (SQL, HTML, shell, etc.)
Never trust client input

Common Mistakes

Trusting User Input: Always validate and sanitize all user-supplied data
Rolling Your Own Crypto: Use established libraries (bcrypt, AES-256)
Exposing Errors: Log detailed errors internally, show generic messages to users
Missing Authorization: Check permissions on every request, not just UI
Weak Session Management: Use secure, httpOnly, sameSite cookies with HTTPS
Ignoring Dependencies: Regularly audit and update third-party libraries
No Logging: Log security events for detection and incident response
Default Configurations: Harden all systems, disable defaults

Security Testing Tools

SAST (Static): SonarQube, Semgrep, ESLint security plugins DAST (Dynamic): OWASP ZAP, Burp Suite SCA (Dependencies): npm audit, Snyk, Dependabot Secrets Scanning: GitGuardian, TruffleHog Penetration Testing: Metasploit, Kali Linux tools

Resources

OWASP Top 10 2021: https://owasp.org/Top10/
OWASP Cheat Sheets: https://cheatsheetseries.owasp.org/
OWASP ASVS: Application Security Verification Standard
CWE Top 25: Common Weakness Enumeration
NIST Cybersecurity Framework: https://www.nist.gov/cyberframework
CVE Database: https://cve.mitre.org/
Snyk Vulnerability DB: https://snyk.io/vuln/