hoangnguyen0403/common-owasp
skills/common/common-owasp/SKILL.md
OWASP Top 10 audit checklists for Web Applications (2021), APIs (2023), and Mobile (2024). Use when performing any security review, PR review, or codebase audit touching web, mobile, or API code.
$ install --global
skillsauthnpx skillsauth add hoangnguyen0403/agent-skills-standard common-owaspInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 20, 2026, 2:58 AM121.8s5 files scanned
SKILL.md
- name:
- common-owasp
- description:
- OWASP Top 10 audit checklists for Web Applications (2021), APIs (2023), and Mobile (2024). Use when performing any security review, PR review, or codebase audit touching web, mobile, or API code.
OWASP Top 10 Security Checklist
Priority: P0 (CRITICAL)
Always-Apply Rules
Apply these on every code write, not during dedicated security reviews:
- No IDOR: Filter every resource query by
owner_idortenantIdalongside any user-supplied ID.findById(params.id)without owner filter immediate P0. - No wildcard CORS: Restrict to explicit allowlisted origins — never
Access-Control-Allow-Origin: *on authenticated routes. - No full entity return: Always project to DTO — never serialize raw ORM output to API response.
- No plaintext secrets in mobile: Never store tokens in
SharedPreferences/UserDefaults— use Keychain/Keystore.
Context-Specific Checklist
Activate when: writing security-sensitive features, reviewing PRs, or doing codebase audits.
Mark each item: ✅ not affected | ⚠️ needs review | 🔴 confirmed finding.
P0 finding caps Security score at 40/100.
Apply framework-specific security skills alongside this checklist. See references/owasp-web.md, references/owasp-api.md, and references/owasp-mobile.md for full detection signals.
OWASP Web Application Top 10 (2021)
| ID | Risk | Key Detection Signal |
| --- | ---- | -------------------- |
| A01 | Broken Access Control | findById(params.id) without owner filter. Route without @authorize. |
| A02 | Cryptographic Failures | Weak hash (MD5/SHA1) for passwords. HTTP URL hardcoded. No TLS. |
| A03 | Injection | String concat in DB queries. Unsanitized input to templates. XSS. |
| A04 | Insecure Design | No rate limiting on auth. Missing input validation at entry points. |
| A05 | Security Misconfiguration | CORS *. Debug mode in prod. Missing security headers (CSP, HSTS). |
| A06 | Vulnerable Components | CVE in dependency audit. Unreviewed new direct dependency. |
| A07 | Auth Failures | JWT without expiry. No session invalidation on logout. |
| A08 | Data Integrity Failures | Unverified JWT/cookie. Deserialization of untrusted input. |
| A09 | Logging & Monitoring | No audit log on: deletion, password change, privilege escalation. |
| A10 | SSRF | HTTP client with user-controlled URL and no allowlist. |
OWASP API Security Top 10 (2023)
| ID | Risk | Key Detection Signal |
| ----- | ---- | -------------------- |
| API1 | Broken Object Level Auth (BOLA) | Resource by user-supplied ID without AND owner_id = currentUser. |
| API2 | Broken Authentication | JWT missing exp. Token not revoked on logout. Bearer in URL. |
| API3 | Broken Property Level Auth | Full ORM entity returned. No DTO projection. Mass assignment. |
| API4 | Unrestricted Resource Consumption | No server-enforced limit/pageSize. No throttle on heavy ops. |
| API5 | Broken Function Level Auth | Admin route reachable without role guard. |
| API6 | Unrestricted Business Flow | No verification on OTP/checkout/password-reset flows. |
| API8 | Security Misconfiguration | Stack trace in response. CORS * on authenticated routes. |
| API9 | Improper Inventory Management | Deprecated/undocumented endpoints still reachable. |
| API10 | Unsafe API Consumption | Third-party response used without schema validation. |
OWASP Mobile Top 10 (2024)
| ID | Risk | Key Detection Signal |
| --- | ---- | -------------------- |
| M1 | Improper Credential Usage | API keys in BuildConfig, Info.plist, hardcoded in source. |
| M2 | Inadequate Supply Chain | Unverified SDKs, pods, or packages without lock files. |
| M3 | Insecure Auth/AuthZ | Biometric-only auth without server validation. Local role checks. |
| M4 | Insufficient I/O Validation | WebView loadUrl with user data. Intent data used unvalidated. |
| M5 | Insecure Communication | No cert pinning. cleartextTrafficPermitted=true. ATS exceptions. |
| M6 | Inadequate Privacy | Location/contacts without justification. PII in analytics. |
| M7 | Insufficient Binary Protection | No obfuscation. android:debuggable=true. No root detection. |
| M8 | Security Misconfiguration | Exported components. Backup enabled. Debug endpoints. |
| M9 | Insecure Data Storage | Tokens in SharedPreferences/UserDefaults vs Keychain/Keystore. |
| M10 | Insufficient Cryptography | Hardcoded encryption keys. Deprecated algorithms (DES, RC4). |
References
- OWASP Web App — Full Detection Signals
- OWASP API — Full Detection Signals
- OWASP Mobile — Full Detection Signals
Related Skills
hoangnguyen0403/common-software-requirements
development
VerifiedTrustedCommunity
Standardize SRS and FRS specifications for technical behavior, interfaces, data contracts, quality constraints, and verification mapping. Use when writing SRS, functional specification, system behavior requirements, API/data contracts, or non-functional thresholds.
503SKILL.mdUpdated May 23, 2026
hoangnguyen0403/common-business-requirements
development
VerifiedTrustedCommunity
Standardize BRD and BRD-lite discovery for business goals, stakeholder impact, current-to-future state, and measurable value outcomes. Use when creating BRD, business case, project justification, ROI narrative, or AS-IS to TO-BE scope.
503SKILL.mdUpdated May 23, 2026
hoangnguyen0403/common-tdd
development
VerifiedTrustedCommunity
Implements a strict Red-Green-Refactor loop to ensure zero production code is written without a prior failing test. Use when: creating new features, fixing bugs, or expanding test coverage.
503SKILL.mdUpdated May 10, 2026
hoangnguyen0403/common-product-requirements
testing
VerifiedTrustedCommunity
Standardize PRD discovery and drafting for product scope, user outcomes, requirement IDs, and acceptance criteria. Use when creating PRD, product requirements, feature specification, or acceptance criteria plan.
503SKILL.mdUpdated May 10, 2026