🎁 Get the FREE AI Skills Starter GuideSubscribe →
BytesAgainBytesAgain
🦀 ClawHub

Security Tester

by @zhanghengyi1986-afk

Security testing for web applications and APIs based on OWASP standards. Identify common vulnerabilities (injection, auth bypass, XSS, CSRF, IDOR), generate...

Versionv1.0.0
Downloads344
TERMINAL
clawhub install security-tester

📖 About This Skill


name: security-tester description: > Security testing for web applications and APIs based on OWASP standards. Identify common vulnerabilities (injection, auth bypass, XSS, CSRF, IDOR), generate security test cases, analyze scan results, and write security test reports. Follows OWASP Testing Guide v4.2, OWASP Top 10 (2021), and CWE classifications. Use when: (1) security testing web apps or APIs, (2) writing security test cases, (3) analyzing vulnerability scan results, (4) OWASP Top 10 verification, (5) authentication/authorization testing, (6) input validation testing, (7) "安全测试", "漏洞测试", "OWASP", "XSS测试", "SQL注入", "渗透测试", "权限测试", "越权测试", "IDOR", "CSRF". NOT for: code-level static analysis (use SAST tools), infrastructure penetration testing (use dedicated pentest tools), or compliance auditing (use GRC tools).

Security Tester

Test web application and API security based on OWASP standards.

OWASP Top 10 (2021) Test Matrix

Reference: https://owasp.org/Top10/

| # | Category | CWE | Key Tests | |---|----------|-----|-----------| | A01 | Broken Access Control | CWE-284 | IDOR, privilege escalation, force browse, CORS | | A02 | Cryptographic Failures | CWE-310 | TLS config, password storage, sensitive data exposure | | A03 | Injection | CWE-74 | SQLi, XSS, command injection, LDAP injection | | A04 | Insecure Design | CWE-501 | Business logic flaws, missing rate limits | | A05 | Security Misconfiguration | CWE-16 | Default creds, verbose errors, unnecessary features | | A06 | Vulnerable Components | CWE-1035 | Outdated libs, known CVEs | | A07 | Auth Failures | CWE-287 | Brute force, weak passwords, session fixation | | A08 | Data Integrity Failures | CWE-502 | Insecure deserialization, unsigned updates | | A09 | Logging Failures | CWE-778 | Missing audit logs, log injection | | A10 | SSRF | CWE-918 | Server-side request forgery |

Security Test Case Generation

For each API endpoint or page, apply this checklist:

A01: Access Control Testing (OWASP-AT)

# IDOR: Access another user's resource
curl -H "Authorization: Bearer $USER_A_TOKEN" \
  "$URL/api/users/USER_B_ID/profile"

Expected: 403 Forbidden

Horizontal privilege escalation

curl -H "Authorization: Bearer $NORMAL_USER_TOKEN" \ "$URL/api/admin/users"

Expected: 403 Forbidden

Force browsing (unauthenticated)

curl "$URL/api/internal/config"

Expected: 401 Unauthorized

CORS misconfiguration

curl -H "Origin: https://evil.com" -I "$URL/api/data"

Check: Access-Control-Allow-Origin should NOT be * or evil.com

HTTP method tampering

curl -X DELETE -H "Authorization: Bearer $READONLY_TOKEN" \ "$URL/api/items/1"

Expected: 403 if user lacks delete permission

A03: Injection Testing

# SQL Injection (OWASP-DV-005)

Reference: CWE-89

PAYLOADS=( "' OR '1'='1" "' OR '1'='1' --" "'; DROP TABLE users; --" "' UNION SELECT null,null,null --" "1' AND SLEEP(5) --" ) for p in "${PAYLOADS[@]}"; do echo "Testing: $p" curl -s -o /dev/null -w "%{http_code} %{time_total}s" \ "$URL/api/search?q=$(python3 -c "import urllib.parse; print(urllib.parse.quote('$p'))")" echo done

XSS (OWASP-DV-001)

Reference: CWE-79

XSS_PAYLOADS=( '' '' '">' "javascript:alert(1)" '' )

Command Injection (CWE-78)

CMD_PAYLOADS=( '; ls -la' '| cat /etc/passwd' '$(whoami)' 'id' )

A07: Authentication Testing

# Brute force protection (OWASP-AT-004)
for i in $(seq 1 20); do
  STATUS=$(curl -s -o /dev/null -w "%{http_code}" \
    -X POST "$URL/api/login" \
    -H "Content-Type: application/json" \
    -d "{\"username\":\"admin\",\"password\":\"wrong$i\"}")
  echo "Attempt $i: $STATUS"
  # After 5-10 attempts, should see 429 or account lockout
done

Session fixation

1. Get session before login

2. Login

3. Verify session ID changed after login

JWT vulnerabilities

Check: alg=none bypass, weak secret, missing expiry

echo "$JWT" | cut -d. -f2 | base64 -d 2>/dev/null | python3 -m json.tool

Vulnerability Report Template

## 🛡️ Security Finding

Title: [CWE-XXX] Brief description Severity: 🔴 Critical / 🟠 High / 🟡 Medium / 🟢 Low / ℹ️ Info CVSS 3.1: X.X ({vector_string}) CWE: CWE-XXX ({cwe_name}) OWASP: A0X:2021 ({category}) Affected: {endpoint / component}

Description

What the vulnerability is and why it matters.

Proof of Concept

Step-by-step reproduction with exact commands/requests.

Impact

  • Confidentiality: {High/Medium/Low/None}
  • Integrity: {High/Medium/Low/None}
  • Availability: {High/Medium/Low/None}
  • Remediation

    Specific fix recommendations with code examples.

    References

  • OWASP: {link}
  • CWE: {link}
  • CVSS 3.1 Quick Scoring (Reference: https://www.first.org/cvss/)

    | Severity | Score | Example | |----------|-------|---------| | 🔴 Critical | 9.0-10.0 | Unauthenticated RCE, mass data breach | | 🟠 High | 7.0-8.9 | SQLi with data access, auth bypass | | 🟡 Medium | 4.0-6.9 | Stored XSS, IDOR with limited data | | 🟢 Low | 0.1-3.9 | Reflected XSS requiring interaction | | ℹ️ Info | 0.0 | Version disclosure, missing headers |

    Security Headers Check

    # Check response headers
    curl -sI "$URL" | grep -iE "strict-transport|content-security|x-frame|x-content-type|x-xss|referrer-policy|permissions-policy"

    Expected headers:

    Strict-Transport-Security: max-age=31536000; includeSubDomains

    Content-Security-Policy: default-src 'self'

    X-Frame-Options: DENY or SAMEORIGIN

    X-Content-Type-Options: nosniff

    Referrer-Policy: strict-origin-when-cross-origin

    Permissions-Policy: camera=(), microphone=()

    References

    For detailed testing procedures per category:

  • OWASP Top 10 detailed tests: See references/owasp-top10-tests.md
  • API-specific security: See references/api-security.md