AgentSkillsCN

owasp-review

OWASP十大安全风险的分步审查清单。适用于代码安全审查、提交PR,或当代码涉及身份验证、授权、数据存储或外部通信时使用。

SKILL.md
--- frontmatter
name: owasp-review
description: Step-by-step OWASP Top 10 security review checklist. Use this when reviewing code for security issues, submitting a PR, or when code touches authentication, authorization, data storage, or external communication.

Before submitting a PR, review the code against each OWASP Top 10 category. Flag any findings in the PR description.

Checklist

1. Broken Access Control

  • Are authorization checks enforced on every endpoint/function that requires them?
  • Can a user access another user's data by manipulating IDs or parameters?
  • Are default-deny policies in place?

2. Cryptographic Failures

  • Is sensitive data encrypted in transit (TLS) and at rest?
  • Are strong, current algorithms used (no MD5, SHA1 for security purposes)?
  • Are keys/secrets stored securely (not in code, not in logs)?

3. Injection

  • Are all inputs validated and sanitized?
  • Are parameterized queries used for all database access?
  • Is user input ever concatenated into commands, queries, or templates?

4. Insecure Design

  • Are trust boundaries clearly defined?
  • Is input from untrusted sources treated differently from trusted sources?
  • Are rate limits and resource constraints in place where needed?

5. Security Misconfiguration

  • Are default credentials, keys, or configs changed?
  • Are error messages generic (no stack traces or internal details exposed)?
  • Are unnecessary features, ports, or services disabled?

6. Vulnerable and Outdated Components

  • Are all dependencies pinned to specific versions?
  • Are there known vulnerabilities in any dependency?
  • Is there a process to update dependencies?

7. Identification and Authentication Failures

  • Are passwords hashed with a strong algorithm (bcrypt, argon2)?
  • Is multi-factor authentication supported where appropriate?
  • Are session tokens generated securely and invalidated on logout?

8. Software and Data Integrity Failures

  • Are CI/CD pipelines protected from tampering?
  • Are dependencies verified (checksums, signatures)?
  • Is deserialization of untrusted data avoided or protected?

9. Security Logging and Monitoring Failures

  • Are authentication attempts (success and failure) logged?
  • Are authorization failures logged?
  • Are logs protected from tampering and injection?
  • Do logs avoid capturing sensitive data (passwords, tokens, PII)?

10. Server-Side Request Forgery (SSRF)

  • Are outbound requests validated against an allowlist?
  • Is user input ever used to construct URLs for server-side requests?
  • Are internal network addresses blocked from user-supplied URLs?

Output

Add a section to the PR description:

code
## OWASP Self-Review
- [x] Broken Access Control — N/A (no auth changes)
- [x] Injection — parameterized queries used throughout
- [ ] SSRF — needs review: user-supplied URL in webhook config