Security auditing and vulnerability detection using OWASP patterns, CWE analysis, and threat modeling. Use when auditing code for security issues, reviewing authentication/authorization, evaluating input validation, analyzing cryptographic usage, reviewing dependency security, or when security-audit, vulnerability-scan, OWASP, threat-model, or --security are mentioned.
This skill inherits all available tools. When active, it can use any tool Claude has access to.
references/owasp-top-10.mdThreat-aware code review → vulnerability detection → risk-ranked remediation.
<when_to_use>
NOT for: performance optimization, general code review without security focus, feature implementation </when_to_use>
<phases> Track with TodoWrite. Phases build comprehensive security assessment.| Phase | Trigger | activeForm |
|---|---|---|
| Threat Model | Session start, feature review | "Building threat model" |
| Attack Surface | Threat model complete | "Mapping attack surface" |
| Vulnerability Scan | Attack surface mapped | "Scanning for vulnerabilities" |
| Risk Assessment | Vulnerabilities identified | "Assessing risk levels" |
| Remediation Plan | Risks assessed | "Planning remediation" |
Workflow:
in_progresscompleted, add next in_progress<severity_levels> Risk indicator with CVSS-aligned severity:
◆◆ Critical (9.0–10.0)
◆ High (7.0–8.9)
◇ Medium (4.0–6.9)
△ Low (0.1–3.9)
Use indicators in findings: "◆◆ Remote code execution via unsanitized shell command" </severity_levels>
<threat_modeling>
Spoofing — can attacker impersonate users/systems?
Tampering — can attacker modify data?
Repudiation — can actions be denied?
Information Disclosure — can attacker access sensitive data?
Denial of Service — can attacker disrupt service?
Elevation of Privilege — can attacker gain unauthorized access?
Map attack paths from goal to entry points:
Goal: Steal user credentials
├─ Attack login endpoint
│ ├─ SQL injection in username field
│ ├─ Brute force (no rate limiting)
│ └─ Session fixation
├─ Intercept network traffic
│ ├─ HTTPS downgrade
│ └─ Man-in-the-middle
└─ Social engineering
├─ Phishing (out of scope)
└─ Password reset exploit
For each branch, assess:
<attack_surface>
External Interfaces:
Data Inputs:
Authentication Boundaries:
Trust Boundaries:
For each entry point document:
Prioritize review:
<vulnerability_patterns>
SQL Injection:
// VULNERABLE
const query = `SELECT * FROM users WHERE email = '${userEmail}'`;
// SECURE — parameterized queries
const query = 'SELECT * FROM users WHERE email = ?';
db.execute(query, [userEmail]);
XSS (Cross-Site Scripting):
// VULNERABLE — direct HTML insertion
element.innerHTML = userInput;
// SECURE — sanitized or use textContent
element.textContent = userInput;
// OR use DOMPurify for rich content
element.innerHTML = DOMPurify.sanitize(userInput);
Command Injection:
// VULNERABLE
exec(`convert ${userFilename} output.png`);
// SECURE — parameterized or whitelist
execFile('convert', [userFilename, 'output.png']);
Path Traversal:
// VULNERABLE
const filePath = `/uploads/${userFileName}`;
// SECURE — validate and normalize
const safeName = path.basename(userFileName);
const filePath = path.join('/uploads', safeName);
if (!filePath.startsWith('/uploads/')) {
throw new Error('Invalid path');
}
XML External Entity (XXE):
// VULNERABLE
const parser = new DOMParser();
const doc = parser.parseFromString(xmlInput, 'text/xml');
// SECURE — disable external entities
const parser = new DOMParser({
locator: {},
errorHandler: {},
// Disable DTD processing
entityResolver: () => null,
});
Password Storage:
// VULNERABLE — plain text or weak hash
const hash = md5(password);
// SECURE — bcrypt/argon2 with salt
const hash = await bcrypt.hash(password, 12);
Session Management:
// VULNERABLE — predictable session IDs
const sessionId = userId + Date.now();
// SECURE — cryptographically random
const sessionId = crypto.randomBytes(32).toString('hex');
// Add security attributes
res.cookie('session', sessionId, {
httpOnly: true,
secure: true, // HTTPS only
sameSite: 'strict',
maxAge: 3600000, // 1 hour
});
JWT Handling:
// VULNERABLE — no signature verification
const payload = JSON.parse(atob(token.split('.')[1]));
// SECURE — verify signature
const payload = jwt.verify(token, SECRET_KEY, {
algorithms: ['HS256'], // Specify allowed algorithms
issuer: 'your-app',
audience: 'your-api',
});
Password Reset:
// VULNERABLE — predictable tokens
const resetToken = userId + '-' + Date.now();
// SECURE — cryptographically random with expiry
const resetToken = crypto.randomBytes(32).toString('hex');
await db.execute(
'INSERT INTO reset_tokens (user_id, token, expires_at) VALUES (?, ?, ?)',
[userId, await bcrypt.hash(resetToken, 10), Date.now() + 3600000]
);
Broken Access Control:
// VULNERABLE — client-side only check
if (user.isAdmin) {
// show admin panel
}
// SECURE — server-side enforcement
app.get('/admin/users', requireAdmin, (req, res) => {
// Verify on every request
if (!req.user?.isAdmin) {
return res.status(403).json({ error: 'Forbidden' });
}
// Admin operation
});
Insecure Direct Object Reference (IDOR):
// VULNERABLE — no ownership check
app.get('/api/documents/:id', async (req, res) => {
const doc = await db.getDocument(req.params.id);
res.json(doc);
});
// SECURE — verify ownership
app.get('/api/documents/:id', async (req, res) => {
const doc = await db.getDocument(req.params.id);
if (doc.userId !== req.user.id && !req.user.isAdmin) {
return res.status(403).json({ error: 'Forbidden' });
}
res.json(doc);
});
Privilege Escalation:
// VULNERABLE — role from client input
app.post('/api/users', async (req, res) => {
const user = await createUser({
...req.body, // Includes role: 'admin' from malicious client
});
});
// SECURE — explicit allowlist
app.post('/api/users', async (req, res) => {
const allowedFields = ['name', 'email', 'password'];
const userData = pick(req.body, allowedFields);
const user = await createUser({
...userData,
role: 'user', // Server controls role
});
});
Weak Algorithms:
// VULNERABLE — deprecated algorithms
const hash = crypto.createHash('md5').update(data).digest('hex');
const cipher = crypto.createCipher('des', key);
// SECURE — modern algorithms
const hash = crypto.createHash('sha256').update(data).digest('hex');
const cipher = crypto.createCipheriv('aes-256-gcm', key, iv);
Hardcoded Secrets:
// VULNERABLE
const API_KEY = 'sk-1234567890abcdef';
const DB_PASSWORD = 'admin123';
// SECURE — environment variables
const API_KEY = process.env.API_KEY;
const DB_PASSWORD = process.env.DB_PASSWORD;
if (!API_KEY || !DB_PASSWORD) {
throw new Error('Missing required environment variables');
}
Insufficient Randomness:
// VULNERABLE — predictable
const token = Math.random().toString(36);
// SECURE — cryptographically secure
const token = crypto.randomBytes(32).toString('hex');
Sensitive Data in Logs:
// VULNERABLE
logger.info('User login', { email, password, ssn });
// SECURE — redact sensitive fields
logger.info('User login', {
email,
password: '[REDACTED]',
ssn: '[REDACTED]',
});
Error Message Disclosure:
// VULNERABLE — exposes internals
catch (err) {
res.status(500).json({ error: err.stack });
}
// SECURE — generic message
catch (err) {
logger.error('Internal error', err);
res.status(500).json({ error: 'Internal server error' });
}
Timing Attacks:
// VULNERABLE — early exit leaks info
if (user.password !== inputPassword) {
return false;
}
// SECURE — constant-time comparison
return crypto.timingSafeEqual(
Buffer.from(user.password),
Buffer.from(inputPassword)
);
</vulnerability_patterns>
<owasp_top_10> 2021 OWASP Top 10 — primary vulnerability categories.
A01:2021 – Broken Access Control
CWE: 200, 201, 352, 359, 377, 402, 425, 639, 759, 639, 918, 1275
A02:2021 – Cryptographic Failures
CWE: 259, 327, 331
A03:2021 – Injection
CWE: 20, 74, 75, 77, 78, 79, 80, 83, 89, 91, 93, 94, 95, 96, 97, 183, 184
A04:2021 – Insecure Design
CWE: 209, 256, 257, 266, 269, 280, 311, 312, 313, 316, 419, 430, 434, 444
A05:2021 – Security Misconfiguration
CWE: 2, 11, 13, 15, 16, 260, 315, 520, 526, 537, 541, 547, 611, 614, 756, 776
A06:2021 – Vulnerable & Outdated Components
CWE: 1035, 1104
A07:2021 – Identification & Authentication Failures
CWE: 287, 288, 290, 294, 295, 297, 300, 302, 304, 306, 307, 346, 384, 521, 613, 640, 798, 940, 1216
A08:2021 – Software & Data Integrity Failures
CWE: 345, 353, 426, 494, 502, 565, 784, 829
A09:2021 – Security Logging & Monitoring Failures
CWE: 117, 223, 532, 778
A10:2021 – Server-Side Request Forgery (SSRF)
CWE: 918
See owasp-top-10.md for detailed breakdowns. </owasp_top_10>
<workflow> Loop: Model Threats → Map Surface → Scan Vulnerabilities → Assess Risk → Plan RemediationThreat Model — identify what could go wrong
Attack Surface — map entry points
Vulnerability Scan — systematic code review
Risk Assessment — severity and likelihood
Remediation Plan — prioritized fixes
Update todos as you progress through phases. </workflow>
<security_review_checklist> Before completing security review, verify:
Authentication:
Authorization:
Input Validation:
Cryptography:
Data Protection:
Dependencies:
Logging & Monitoring:
For each vulnerability found:
## {SEVERITY_INDICATOR} {VULNERABILITY_NAME}
**Category**: {OWASP_CATEGORY}
**CWE**: {CWE_IDS}
**Severity**: {CRITICAL/HIGH/MEDIUM/LOW}
### Location
- File: {FILE_PATH}
- Lines: {LINE_RANGE}
- Function: {FUNCTION_NAME}
### Description
{CLEAR_EXPLANATION_OF_VULNERABILITY}
### Impact
{WHAT_ATTACKER_COULD_DO}
### Proof of Concept
{CODE_SNIPPET_OR_STEPS_TO_EXPLOIT}
### Remediation
{SPECIFIC_FIX_WITH_CODE_EXAMPLE}
### References
- OWASP: {URL}
- CWE: {URL}
# Security Audit Report
**Date**: {DATE}
**Scope**: {COMPONENTS_REVIEWED}
**Reviewer**: {NAME}
## Executive Summary
{HIGH_LEVEL_OVERVIEW}
## Risk Summary
- Critical (◆◆): {COUNT}
- High (◆): {COUNT}
- Medium (◇): {COUNT}
- Low (△): {COUNT}
## Key Findings
{TOP_3_MOST_CRITICAL}
## Detailed Findings
{FULL_VULNERABILITY_LIST}
## Recommendations
{PRIORITIZED_REMEDIATION_PLAN}
## Conclusion
{OVERALL_SECURITY_POSTURE_ASSESSMENT}
NEVER:
Related skills: