AgentSkillsCN

owasp-appsec

在审查代码以识别安全漏洞、实施身份验证/授权机制、进行威胁建模,或构建安全API时使用此功能。涵盖OWASP Top 10:2025、API安全Top 10:2023、ASVS验证,以及安全实施速查表。

SKILL.md
--- frontmatter
name: owasp-appsec
description: Use when reviewing code for security vulnerabilities, implementing authentication/authorization, threat modeling, or building secure APIs. Covers OWASP Top 10:2025, API Security Top 10:2023, ASVS verification, and security implementation cheatsheets.

OWASP Application Security

Overview

Security guidance based on OWASP standards for identifying and preventing vulnerabilities in web applications and APIs. Routes agents to the right reference for their specific security task.

When to Use

Use this skill when:

  • Performing security code review (finding vulnerabilities, insecure patterns)
  • Implementing auth/authz (sessions, passwords, access control)
  • Threat modeling (identifying attack vectors, security requirements)
  • Building or securing APIs (REST, GraphQL)
  • Handling sensitive data (encryption, secrets)

Don't use for:

  • Network security, firewall rules
  • Infrastructure hardening (OS, containers)
  • Penetration testing execution (use TESTING-GUIDE.md for methodology only)

Quick Reference

TaskReferenceKey Search Terms
Identify vulnerability categoryreferences/TOP10-2025.mdA01-A10, CWE-ID
API security issuesreferences/API-TOP10-2023.mdAPI1-API10, BOLA, BFLA
Verification requirementsreferences/ASVS-CHECKLIST.mdL1, L2, L3, V1-V14
Implementation guidancereferences/cheatsheets/See CHEATSHEETS-INDEX.md
Testing methodologyreferences/TESTING-GUIDE.mdPhases, test categories
Report findingsassets/security-review-template.mdSeverity, remediation

OWASP Top 10:2025 Summary

IDCategoryKey CWEsDetection Focus
A01Broken Access Control200, 284, 285, 639Missing authz checks, IDOR
A02Security Misconfiguration16, 611, 1004Default creds, verbose errors
A03Supply Chain Failures829, 1104Outdated deps, unverified sources
A04Cryptographic Failures259, 327, 328, 331Weak algorithms, hardcoded keys
A05Injection79, 89, 94, 78Unsanitized input to interpreters
A06Insecure Design209, 256, 501Missing threat modeling, weak controls
A07Authentication Failures287, 384, 613Weak passwords, session issues
A08Integrity Failures345, 494, 502Unsigned updates, unsafe deserialization
A09Logging Failures117, 223, 778Missing audit logs, log injection
A10Exception Handling209, 390, 754Verbose errors, unhandled exceptions

OWASP API Security Top 10:2023 Summary

IDCategoryKey Issue
API1Broken Object Level AuthorizationMissing per-object authz checks
API2Broken AuthenticationWeak token validation, credential stuffing
API3Broken Object Property Level AuthorizationExposing/allowing modification of sensitive properties
API4Unrestricted Resource ConsumptionNo rate limiting, unbounded queries
API5Broken Function Level AuthorizationAdmin endpoints accessible to users
API6Unrestricted Access to Sensitive FlowsAutomated abuse of business logic
API7Server Side Request ForgeryUnvalidated URLs in server requests
API8Security MisconfigurationCORS, missing headers, debug enabled
API9Improper Inventory ManagementUndocumented endpoints, old versions
API10Unsafe Consumption of APIsTrusting third-party responses blindly

ASVS Verification Levels

LevelNameUse When
L1OpportunisticAny application, basic security baseline
L2StandardApps handling sensitive data, most production apps
L3AdvancedCritical applications (financial, healthcare, high-value)

Load references/ASVS-CHECKLIST.md for detailed verification requirements by category.

Workflow: Security Code Review

  1. Identify scope: What component is being reviewed? (auth, API, data handling, etc.)
  2. Load relevant cheatsheet: read-resource("gw-skill://owasp-appsec/references/cheatsheets/{topic}.md")
  3. Check patterns: Compare code against DO/DON'T patterns in cheatsheet
  4. Map findings: Use TOP10-2025.md to categorize any issues found
  5. Report: Use assets/security-review-template.md for consistent output

Workflow: Implementing Security Controls

  1. Identify control needed: Authentication, input validation, encryption, etc.
  2. Load cheatsheet: Get implementation guidance for that control
  3. Follow DO patterns: Implement using the secure patterns shown
  4. Avoid DON'T patterns: Explicitly check you're not using anti-patterns
  5. Verify against ASVS: Check implementation meets verification level requirements

Common Mistakes

MistakeWhy It's WrongFix
Blocklist validationAttackers find bypassesUse allowlist validation
Client-only validationBypassable via proxyAlways validate server-side
Rolling own cryptoSubtle implementation flawsUse established libraries
Secrets in code/configLeaks via VCS, logsUse env vars or secret managers
Verbose error messagesLeaks system detailsGeneric user errors, log details
Missing rate limitingDoS, brute force attacksImplement per-endpoint limits
CORS: * originCross-site attacksAllowlist specific origins
JWT in localStorageXSS can steal tokensUse httpOnly cookies

Cheatsheet Index

CheatsheetUse For
authentication.mdLogin, password policies, MFA, session tokens
authorization.mdAccess control, RBAC, ABAC, permission checks
injection-prevention.mdSQL, command, LDAP, XPath injection
input-validation.mdAllowlists, type checking, canonicalization
xss-prevention.mdOutput encoding, CSP, DOM manipulation
secrets-management.mdAPI keys, credentials, key rotation
session-management.mdSession IDs, timeouts, invalidation
cryptographic-storage.mdEncryption, hashing, key management
error-handling.mdException handling, logging, info disclosure

Loading Nested Resources

code
# Load main OWASP Top 10 reference
read-resource("gw-skill://owasp-appsec/references/TOP10-2025.md")

# Load specific cheatsheet
read-resource("gw-skill://owasp-appsec/references/cheatsheets/authentication.md")

# Load security review template
read-resource("gw-skill://owasp-appsec/assets/security-review-template.md")