hoangnguyen0403/common-dast-tooling
agents/skills/common/common-dast-tooling/SKILL.md
Standardize usage of Dynamic Application Security Testing (DAST) tools (ZAP, Nuclei, Nikto) and custom AI-driven curl probes for adversarial system testing. Use when advising on or running dynamic security scans on local/staging environments.
$ install --global
skillsauthnpx skillsauth add hoangnguyen0403/agent-skills-standard common-dast-toolingInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 24, 2026, 7:56 AM69.0s2 files scanned
SKILL.md
- name:
- common-dast-tooling
- description:
- Standardize usage of Dynamic Application Security Testing (DAST) tools (ZAP, Nuclei, Nikto) and custom AI-driven curl probes for adversarial system testing. Use when advising on or running dynamic security scans on local/staging environments.
DAST Tooling Standard
Priority: P1 (OPERATIONAL)
Always-Apply Rules
- No Scanning Production: Never run DAST tools against live production environments. Use local or staging replicas only.
- No Uncapped Scans: Always set
max-depthormax-durationto avoid infinite loops on dynamic routes. - No Anonymous Probing: Use authenticated headers (
Authorization) to test protected surfaces, not public ones.
1. Automated DAST Tools
Follow implementation guide for command-line setup.
- Nuclei: Best for fast, template-based CVE/Misconfiguration scanning.
- ZAP-CLI: Best for deep spidering and web vulnerability scanning (SQLi, XSS, etc.).
- Nikto: Quick scan for insecure server configurations and outdated software.
2. Adversarial curl Probing (Manual)
When tools unavailable, use AI to generate targeted curl probes:
- Bypassing Guards: Probe protected routes with manipulated headers (
X-Forwarded-For,X-Custom-Auth). - Data Leakage: Request
/metrics,/health, or.gitdirectories to find exposed metadata. - Parameter Tampering: Modify payload types (String -> Object) or inject large payloads to test limits.
Scoring Impact
| Finding | Severity | Deduction | | --------------------------------------- | -------- | --------- | | Unauthenticated access to private data | P0 | -25 | | Successful SQLi/RCE via probe | P0 | -20 | | Info Leakage (Server versions/Env vars) | P1 | -10 | | Missing security headers (CSP/HSTS) | P2 | -5 |
Anti-Patterns
- No relying solely on static analysis: Pentesting MUST include dynamic execution feedback.
- No ignoring non-web protocols: Check Docker ports, SSH banners, and internal gRPC/RMQ listeners.
References
- DAST Tooling Implementation
- OWASP Dynamic Scanning Guide
Related Skills
hoangnguyen0403/specialist-pr-reviewer
development
VerifiedTrustedCommunity
Summarizes GitHub PR, GitLab MR, or Azure DevOps PR metadata, review threads, changed files, and template completeness. Use during review-ticket or code-review workflows when PR/MR context exists.
498SKILL.mdUpdated May 23, 2026
hoangnguyen0403/typescript-tooling
tools
VerifiedTrustedCommunity
Development tools, linting, and build config for TypeScript. Use when configuring ESLint, Prettier, Jest, Vitest, tsconfig, or any TS build tooling.
498SKILL.mdUpdated May 21, 2026
hoangnguyen0403/typescript-security
development
VerifiedTrustedCommunity
Validate input, secure auth tokens, and prevent injection attacks in TypeScript. Use when validating input, handling auth tokens, sanitizing data, or managing secrets and sensitive configuration.
498SKILL.mdUpdated May 21, 2026
hoangnguyen0403/typescript-language
development
VerifiedTrustedCommunity
Apply modern TypeScript standards for type safety and maintainability. Use when working with types, interfaces, generics, enums, unions, or tsconfig settings.
498SKILL.mdUpdated May 21, 2026