Skill

owasp-top10

OWASP Top 10 (2021) review disipline — A01 Broken Access Control (IDOR, CORS, JWT scope, force browse), A02 Cryptographic Failures (TLS 1.2+, HSTS, argon2id, secret manager, log redact), A03 Injection (parameterized query, allowlist input, output encoding, shell=False), A04 Insecure Design (threat model, misuse case, defense-in-depth, rate limit), A05 Security Misconfiguration (security header, default cred, verbose error, container hardening), A06 Vulnerable Components (SBOM, CVE SLA, EOL stack), A07 Auth Failures (MFA, session rotation, JWT validate, OAuth PKCE/state), A08 Integrity (signed CI/CD, SLSA, deserialization safe, webhook HMAC), A09 Logging Failures (auth event, WORM, PII redact, alert), A10 SSRF (URL allowlist, metadata block, DNS rebind). CI gate önerisi (gitleaks, semgrep, trivy, OSV, ZAP).

npx claudepluginhub resultakak/argos --plugin argos

Tool Access

This skill uses the workspace's default tool permissions.

Preview

`agents/shared/severity-rubric.md` ve `agents/shared/escalation-matrix.md`

SKILL.md

Similar Skills

using-superpowers

185.1k

Mandates invoking relevant skills via tools before any response in coding sessions. Covers access, priorities, and adaptations for Claude Code, Copilot CLI, Gemini CLI.

3 files

superpowers

Stats

Stars0

Forks0

Last CommitMay 11, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

OWASP Top 10 (2021)

Ortak Doktrin

agents/shared/severity-rubric.md ve agents/shared/escalation-matrix.md default-load sayılır (agents/coordination.md §11). Bu skill'in çıktısı Critical / High / Medium / Low + kanıt formatında olmak zorunda — spekülatif Critical yasak. Sahiplik dışı bulgu ilgili agent'a delege; karar yetkisi eşiği aşılırsa kullanıcı onayı zorunlu.

Felsefe

Default deny her authz katmanı.
Defense-in-depth — tek katman tek failure.
Parameterized everywhere — string concat user input YASAK.
Crypto hazır kütüphane — kendi yazma.
PII redact log — leak retroactive temizlenemez.
CVE SLA disiplin (Critical < 7g).
Signed CI/CD integrity tek savunma.
Threat model her major feature.

Ne Zaman Kullanılır

Yeni feature security review (pre-merge gate)
Major release pre-prod security audit
Pentest hazırlık
Compliance review (SOC 2, ISO 27001, PCI DSS)
Yeni microservice production-readiness
Incident postmortem (root-cause OWASP bucket'a haritalama)
Quarterly security baseline scan
Security CI gate kurulum
Bug bounty rapor triage
Threat model session yardımcı checklist

Workflow — Each "A" Audit

A01: Broken Access Control

# IDOR sweep — endpoint scope check
grep -rn "request.params\|req.params" src/ | grep -i "id"
# CORS audit
grep -rn "Access-Control-Allow-Origin" .
curl -I -H "Origin: https://evil.com" https://api.acme.com/me

Default deny mi?
Authz check her sensitive endpoint'te?
IDOR: /orders/{id} owner verify?
JWT scope + audience?
CORS * + credentials YASAK kontrol.
/admin path scope check?

A02: Cryptographic Failures

# Password hashing scan
grep -rnE "md5|sha1|sha256.*password" src/
# Hard-coded secret
gitleaks detect --no-banner
# Sensitive in log
grep -rnE "log.*password|log.*token|log.*card" src/

TLS 1.2+ + HSTS aktif mi?
Password = argon2id / bcrypt 12+?
Random = secure (secrets, crypto.randomBytes)?
Secret manager (Vault/SM/SOPS)?
PII log redact (email, card, SSN, JWT)?

A03: Injection

# SQL string concat
grep -rnE "execute\(.*f\"|execute\(.*\+|raw\(.*\+" src/
# Shell injection
grep -rn "shell=True\|os.system\|popen" src/
# eval/exec
grep -rnE "\beval\(|\bexec\(" src/

Parameterized query/ORM her DB call?
Input validation allowlist (regex/enum)?
Output encoding context-aware (HTML/attr/JS/URL)?
subprocess.run([...], shell=False)?
LDAP/XPath/NoSQL parameterized?

A04: Insecure Design

Threat model var mı (STRIDE/LINDDUN)?
Misuse/abuse case acceptance criteria'da?
Rate limit + lockout auth endpoint?
Business logic abuse case (race/replay/refund loop) test'i?
Separation of duties (admin min)?

A05: Security Misconfiguration

# Security header probe
curl -sI https://acme.com/ | grep -iE "strict-transport|content-security|x-frame|x-content-type|referrer-policy"
# Verbose error prob
curl -s "https://api.acme.com/order/'" | head -50  # SQL bozuk → stack trace?
# Server header
curl -sI https://acme.com/ | grep -iE "^server|x-powered-by"

Default cred çıkarıldı mı?
Verbose error prod KAPALI?
X-Powered-By / Server header strip?
Tüm security header var mı (HSTS/CSP/X-CTO/X-FO/Referrer/Permissions)?
Bucket private default?
Cloud metadata SSRF allowlist'te değil?
Container non-root + RO FS + cap drop ALL?

A06: Vulnerable Components

# Python
pip-audit
# Node
npm audit --omit=dev
# Go
govulncheck ./...
# Container
trivy image acme/api:1.4.7 --severity HIGH,CRITICAL
# OSV
osv-scanner -r .

SBOM (CycloneDX/SPDX) artifact?
CVE policy SLA (Critical 7g, High 30g)?
Lockfile pin?
EOL stack yok (Python 3.8-, Node 16-)?
Distroless/minimal base image?
Renovate/Dependabot aktif?

A07: Authentication Failures

MFA admin + high-risk action?
Password policy NIST (min 12, breach-list, no forced rotation)?
Brute force rate limit + lockout?
Session: Secure + HttpOnly + SameSite + idle 15-30dk + absolute 12h + rotation on auth?
JWT: exp ≤ 15dk + refresh + iss/aud/nbf/iat validate + alg pin (none YASAK)?
OAuth/OIDC PKCE + state + nonce + redirect_uri exact?
Password reset: single-use, expire 15dk, time-constant compare?

A08: Integrity Failures

CI/CD signed commit + signed build (cosign)?
Container image signing?
SLSA Level target (3+)?
Auto-update signature verify?
Deserialization safe (no pickle untrusted, no Java native)?
CDN SRI third-party?
Webhook HMAC SHA-256 + timestamp ±5dk + replay nonce?

A09: Logging & Monitoring Failures

Log: auth success/fail, authz fail, input validation fail, integrity fail?
WORM/append-only (S3 Object Lock veya Loki immutable)?
Retention 90g hot + 1y cold?
PII redact (email, IP partial, card masked)?
Alert: brute force, priv esc, unusual geo, mass enum?
SIEM centralize + on-call?
Tamper detection prod?

A10: SSRF

# URL fetch endpoints
grep -rnE "requests\.get\(|fetch\(|axios\(|urllib\.urlopen\(" src/ | grep -v "config\.\|env\.\|const URL"

URL allowlist (host + scheme http/https)?
DNS rebind: resolve + pin IP + private check?
Metadata service block (169.254.169.254 + 100.100.100.200)?
Egress NetworkPolicy K8s?
PDF/HTML render sandbox?
Webhook target validate?

CI Gate Check

pre-commit: gitleaks + bandit + semgrep aktif mi?
CI: pip-audit/npm-audit/govulncheck/trivy/osv-scanner + tfsec/checkov/kubesec + ZAP baseline?
Container scan HIGH+ fail policy?
Pentest annual + feature threat model?

Findings Format

| Sev | OWASP | Bulgu | Kanıt | Sahip | Tarih |
| Critical | A01 | `/orders/{id}` IDOR — owner check yok | `tests/idor_test.py:42` 200 dönüyor başka tenant id ile | @backend | 2026-05-18 |
| High | A02 | Password bcrypt cost 4 (12 olmalı) | `auth/hash.py:11` `bcrypt.gensalt(4)` | @backend | 2026-05-23 |
| High | A05 | CSP `unsafe-inline` | response header dump | @frontend | 2026-05-30 |
| Medium | A07 | JWT exp 24h (15dk + refresh olmalı) | `auth/jwt.py:8` | @backend | 2026-06-06 |

Antipatterns

rules/owasp-top10.md "Yasaklar" listesi tam tutar; tekrar yok.

Özet: authz yok + CORS * + cred / SHA password / Math.random token / shell=True / verbose error / HSTS yok / CSP unsafe-inline / container root / EOL / MFA yok admin / JWT none / OAuth state yok / pickle untrusted / SSRF metadata open / log PII / webhook HMAC yok / Critical CVE > 7g / SBOM yok.

Delege

security-reviewer agent — ana sahip; bu skill prosedür taşır.
threat-modeling skill — A04 insecure design (STRIDE).
secure-deployment-review skill — A05 misconfig + A06 component + container.
dependency-risk-auditor agent — A06 CVE + license.
production-readiness-reviewer — A09 logging + alert gate.
compliance-controls skill — SOC 2 / ISO mapping.
incident-commander — A09 alert response prosedür.

Çıktı şablonu

# OWASP Top 10 Review: checkout-svc

## Scope
- Repo: github.com/acme/checkout-svc @ v1.4.7
- Endpoint sayısı: 23
- Stack: Python 3.12 / FastAPI / Postgres / Redis
- Container: distroless-python:3.12-slim

## Findings (12 toplam: 3 Critical / 4 High / 3 Medium / 2 Low)

### A01 Broken Access Control
- **Critical** — `/orders/{id}` IDOR (owner check yok)
- **High** — Admin path `/admin/refund` JWT scope check eksik

### A02 Cryptographic Failures
- **Critical** — Password SHA-256 (argon2id olmalı)
- **High** — Sensitive log redact yok (email + last4 card)

### A03 Injection
- **Medium** — Raw SQL 2 endpoint (parameterize)

### A05 Security Misconfiguration
- **High** — CSP yok response
- **Medium** — Container root user
- **Low** — `X-Powered-By` header expose

### A06 Vulnerable Components
- **Critical** — `cryptography==3.4.7` (CVE-2023-23931 Critical)
- **Medium** — Python 3.10 (EOL 2026-10; 3.12 plan)

### A07 Auth Failures
- **High** — JWT exp 24h (15dk + refresh olmalı)
- **Low** — Session rotation auth sonrası yok

## Action Items
| P0 | A01 IDOR owner check | @backend | 2026-05-18 |
| P0 | A02 password argon2id migration | @backend | 2026-05-23 |
| P0 | A06 cryptography 41+ bump | @platform | 2026-05-18 |
| P1 | A01 admin scope guard | @backend | 2026-05-23 |
| P1 | A02 sensitive log redact | @backend | 2026-05-30 |
| P1 | A05 CSP strict + report-uri | @frontend | 2026-05-30 |
| P1 | A07 JWT exp 15dk + refresh | @backend | 2026-06-06 |
| P2 | A03 parameterized query 2 endpoint | @backend | 2026-06-13 |
| P2 | A05 container non-root + RO FS | @platform | 2026-06-13 |
| P2 | A06 Python 3.12 upgrade | @platform | 2026-08-30 |
| P3 | A05 X-Powered-By strip | @platform | 2026-06-30 |
| P3 | A07 session rotation | @backend | 2026-06-30 |

## CI Gate Additions
- pre-commit: gitleaks + semgrep
- CI: pip-audit + trivy HIGH+ fail + ZAP baseline smoke
- pre-prod: threat model her PR `security` label