FrancoStino/web-security-testing
bundled-skills/web-security-testing/SKILL.md
Web application security testing workflow for OWASP Top 10 vulnerabilities including injection, XSS, authentication flaws, and access control issues.
$ install --global
skillsauthnpx skillsauth add FrancoStino/opencode-skills-antigravity web-security-testingInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 29, 2026, 2:58 AM77.1s1 file scanned
SKILL.md
- name:
- web-security-testing
- description:
- Web application security testing workflow for OWASP Top 10 vulnerabilities including injection, XSS, authentication flaws, and access control issues.
- category:
- granular-workflow-bundle
- risk:
- safe
- source:
- personal
- date_added:
- 2026-02-27
Web Security Testing Workflow
Overview
Specialized workflow for testing web applications against OWASP Top 10 vulnerabilities including injection attacks, XSS, broken authentication, and access control issues.
When to Use This Workflow
Use this workflow when:
- Testing web application security
- Performing OWASP Top 10 assessment
- Conducting penetration tests
- Validating security controls
- Bug bounty hunting
Workflow Phases
Phase 1: Reconnaissance
Skills to Invoke
scanning-tools- Security scanningtop-web-vulnerabilities- OWASP knowledge
Actions
- Map application surface
- Identify technologies
- Discover endpoints
- Find subdomains
- Document findings
Copy-Paste Prompts
Use @scanning-tools to perform web application reconnaissance
Phase 2: Injection Testing
Skills to Invoke
sql-injection-testing- SQL injectionsqlmap-database-pentesting- SQLMap
Actions
- Test SQL injection
- Test NoSQL injection
- Test command injection
- Test LDAP injection
- Document vulnerabilities
Copy-Paste Prompts
Use @sql-injection-testing to test for SQL injection
Use @sqlmap-database-pentesting to automate SQL injection testing
Phase 3: XSS Testing
Skills to Invoke
xss-html-injection- XSS testinghtml-injection-testing- HTML injection
Actions
- Test reflected XSS
- Test stored XSS
- Test DOM-based XSS
- Test XSS filters
- Document findings
Copy-Paste Prompts
Use @xss-html-injection to test for cross-site scripting
Phase 4: Authentication Testing
Skills to Invoke
broken-authentication- Authentication testing
Actions
- Test credential stuffing
- Test brute force protection
- Test session management
- Test password policies
- Test MFA implementation
Copy-Paste Prompts
Use @broken-authentication to test authentication security
Phase 5: Access Control Testing
Skills to Invoke
idor-testing- IDOR testingfile-path-traversal- Path traversal
Actions
- Test vertical privilege escalation
- Test horizontal privilege escalation
- Test IDOR vulnerabilities
- Test directory traversal
- Test unauthorized access
Copy-Paste Prompts
Use @idor-testing to test for insecure direct object references
Use @file-path-traversal to test for path traversal
Phase 6: Security Headers
Skills to Invoke
api-security-best-practices- Security headers
Actions
- Check CSP implementation
- Verify HSTS configuration
- Test X-Frame-Options
- Check X-Content-Type-Options
- Verify referrer policy
Copy-Paste Prompts
Use @api-security-best-practices to audit security headers
Phase 7: Reporting
Skills to Invoke
reporting-standards- Security reporting
Actions
- Document vulnerabilities
- Assess risk levels
- Provide remediation
- Create proof of concept
- Generate report
Copy-Paste Prompts
Use @reporting-standards to create security report
OWASP Top 10 Checklist
- [ ] A01: Broken Access Control
- [ ] A02: Cryptographic Failures
- [ ] A03: Injection
- [ ] A04: Insecure Design
- [ ] A05: Security Misconfiguration
- [ ] A06: Vulnerable Components
- [ ] A07: Authentication Failures
- [ ] A08: Software/Data Integrity
- [ ] A09: Logging/Monitoring
- [ ] A10: SSRF
Quality Gates
- [ ] All OWASP Top 10 tested
- [ ] Vulnerabilities documented
- [ ] Proof of concepts captured
- [ ] Remediation provided
- [ ] Report generated
Related Workflow Bundles
security-audit- Security auditingapi-security-testing- API securitywordpress-security- WordPress security
Limitations
- Use this skill only when the task clearly matches the scope described above.
- Do not treat the output as a substitute for environment-specific validation, testing, or expert review.
- Stop and ask for clarification if required inputs, permissions, safety boundaries, or success criteria are missing.
Related Skills
FrancoStino/youtube-full
development
VerifiedTrustedCommunity
Fetch YouTube transcripts, search videos, browse channels, and extract playlists via TranscriptAPI — no yt-dlp, no Google API key, works from any cloud server.
31SKILL.mdUpdated Jun 5, 2026
FrancoStino/yield-intelligence
development
VerifiedTrustedCommunity
Passive income portfolio analysis — activate when user asks about dividend yields, Treasury rates, REIT income, monthly passive income goals, or portfolio yield optimization. Scans 4 asset classes, ranks by risk-adjusted return, and builds allocations targeting a specific monthly income.
31SKILL.mdUpdated Jun 5, 2026
FrancoStino/vibecode-production-qa-validator
devops
VerifiedTrustedCommunity
End-to-end production QA, build verification, and launch-readiness checklist for fullstack Next.js apps. Covers TypeScript, linting, tests, build, SEO tags, route regression, and sitemap validation.
31SKILL.mdUpdated Jun 5, 2026
FrancoStino/vibe-code-cleanup
development
VerifiedTrustedCommunity
Safe production cleanup and hardening for vibe-coded fullstack apps (Next.js, React, Node.js, etc.). Removes dead imports, unused files, and broken references without breaking routes or APIs.
31SKILL.mdUpdated Jun 5, 2026