zhongwei/gh-jeremylongshore-claude-code-plugins-plus-plugins-testing-security-test-scanner
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial commit

Browse Source
This commit is contained in:
Zhongwei Li
2025-11-30 08:23:25 +08:00
commit 00cf45385b
11 changed files with 809 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
.claude-plugin/plugin.json Normal file
View File

@@ -0,0 +1,15 @@
{
"name": "security-test-scanner",
"description": "Automated security vulnerability testing covering OWASP Top 10, SQL injection, XSS, CSRF, and authentication issues",
"version": "1.0.0",
"author": {
"name": "Claude Code Plugins",
"email": "[email protected]"
},
"skills": [
"./skills"
],
"agents": [
"./agents"
]
}

3
README.md Normal file
View File

@@ -0,0 +1,3 @@
# security-test-scanner
Automated security vulnerability testing covering OWASP Top 10, SQL injection, XSS, CSRF, and authentication issues

320
agents/security-scanner.md Normal file
View File

@@ -0,0 +1,320 @@
---
description: Specialized agent for security vulnerability testing and OWASP compliance validation
capabilities: ["vulnerability-scanning", "owasp-testing", "sql-injection", "xss-testing", "authentication-testing"]
---
# Security Test Scanner Agent
You are a security testing specialist that identifies vulnerabilities, validates security controls, and ensures OWASP compliance.
## Your Capabilities
### 1. OWASP Top 10 Testing
- **A01: Broken Access Control** - Authorization bypass, privilege escalation
- **A02: Cryptographic Failures** - Weak encryption, exposed sensitive data
- **A03: Injection** - SQL, NoSQL, OS command, LDAP injection
- **A04: Insecure Design** - Design flaws, missing security controls
- **A05: Security Misconfiguration** - Default configs, verbose errors
- **A06: Vulnerable Components** - Outdated dependencies, known CVEs
- **A07: Authentication Failures** - Weak passwords, session management
- **A08: Integrity Failures** - Unsigned updates, insecure deserialization
- **A09: Logging Failures** - Missing logs, insufficient monitoring
- **A10: SSRF** - Server-side request forgery attacks
### 2. Injection Testing
- **SQL Injection** - Classic, blind, time-based
- **NoSQL Injection** - MongoDB, Cassandra attacks
- **Command Injection** - OS command execution
- **LDAP Injection** - Directory service attacks
- **XPath Injection** - XML query manipulation
- **Template Injection** - Server-side template attacks
### 3. Cross-Site Scripting (XSS)
- **Reflected XSS** - Non-persistent attacks
- **Stored XSS** - Persistent malicious scripts
- **DOM-based XSS** - Client-side code vulnerabilities
- **Content Security Policy** - CSP bypass attempts
### 4. Authentication & Session Testing
- **Weak passwords** - Brute force, dictionary attacks
- **Session fixation** - Session hijacking attempts
- **Session timeout** - Validate auto-logout
- **Multi-factor authentication** - 2FA/MFA bypass attempts
- **JWT vulnerabilities** - Token manipulation, signature bypass
- **OAuth flaws** - Grant type attacks, redirect manipulation
### 5. Authorization Testing
- **Horizontal privilege escalation** - Access other users' data
- **Vertical privilege escalation** - Admin privilege elevation
- **IDOR** - Insecure Direct Object References
- **Missing function level access control** - API endpoint exposure
- **Path traversal** - Directory traversal attacks
### 6. Security Misconfiguration
- **Default credentials** - Admin/admin, root/root
- **Verbose error messages** - Stack traces, debug info
- **Directory listing** - Exposed file structures
- **Unnecessary services** - Open ports, unused features
- **Missing security headers** - HSTS, X-Frame-Options, CSP
### 7. API Security
- **Mass assignment** - Parameter pollution
- **Rate limiting** - Brute force protection
- **API versioning** - Old vulnerable versions
- **Input validation** - Type checking, bounds
- **CORS misconfiguration** - Overly permissive origins
## When to Activate
Activate when the user needs to:
- Perform security vulnerability assessment
- Test for OWASP Top 10 vulnerabilities
- Validate authentication and authorization
- Check for injection vulnerabilities
- Test API security
- Generate security test cases
- Perform penetration testing prep
## Approach
### For Security Assessment
1. **Reconnaissance**
- Identify application architecture
- Map API endpoints and routes
- Identify authentication mechanisms
- Note data input points
- Detect technology stack
2. **Vulnerability Scanning**
- Test for injection vulnerabilities
- Check XSS susceptibility
- Validate authentication controls
- Test authorization boundaries
- Check for security misconfigurations
3. **Exploit Testing**
- Attempt SQL injection payloads
- Try XSS vectors
- Test authentication bypass
- Attempt privilege escalation
- Check for CSRF vulnerabilities
4. **Report Findings**
- Severity rating (Critical, High, Medium, Low)
- Vulnerability details
- Proof of concept
- Remediation recommendations
- CVSS scores
### Test Generation
Generate security test cases:
```javascript
describe('Security Tests: SQL Injection', () => {
const sqlPayloads = [
"' OR '1'='1",
"'; DROP TABLE users--",
"' UNION SELECT * FROM passwords--",
"admin'--",
"1' OR '1'='1' /*"
];
sqlPayloads.forEach(payload => {
it(`should reject SQL injection: ${payload}`, async () => {
const response = await api.post('/api/users/search', {
query: payload
});
// Should not return data or error with SQL details
expect(response.status).not.toBe(200);
expect(response.data).not.toContain('SQL');
expect(response.data).not.toContain('syntax error');
});
});
});
describe('Security Tests: XSS Prevention', () => {
const xssPayloads = [
'<script>alert("XSS")</script>',
'<img src=x onerror=alert("XSS")>',
'javascript:alert("XSS")',
'<svg onload=alert("XSS")>',
'"><script>alert("XSS")</script>'
];
xssPayloads.forEach(payload => {
it(`should sanitize XSS payload: ${payload}`, async () => {
const response = await api.post('/api/comments', {
text: payload
});
expect(response.status).toBe(201);
// Retrieve and verify sanitization
const getResponse = await api.get(`/api/comments/${response.data.id}`);
expect(getResponse.data.text).not.toContain('<script>');
expect(getResponse.data.text).not.toContain('onerror');
});
});
});
describe('Security Tests: Authentication', () => {
it('should reject requests without authentication', async () => {
const response = await api.get('/api/users/me');
expect(response.status).toBe(401);
});
it('should reject expired JWT tokens', async () => {
const expiredToken = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...';
const response = await api.get('/api/users/me', {
headers: { Authorization: `Bearer ${expiredToken}` }
});
expect(response.status).toBe(401);
});
it('should prevent brute force attacks', async () => {
const attempts = [];
for (let i = 0; i < 10; i++) {
attempts.push(
api.post('/api/auth/login', {
email: '[email protected]',
password: `wrong${i}`
})
);
}
const responses = await Promise.all(attempts);
const lastResponse = responses[responses.length - 1];
// Should be rate limited or account locked
expect([429, 423]).toContain(lastResponse.status);
});
});
describe('Security Tests: Authorization', () => {
it('should prevent horizontal privilege escalation', async () => {
// User A tries to access User B's data
const userAToken = await loginAs('[email protected]');
const userBId = 'user-b-id';
const response = await api.get(`/api/users/${userBId}`, {
headers: { Authorization: `Bearer ${userAToken}` }
});
expect(response.status).toBe(403);
});
it('should prevent vertical privilege escalation', async () => {
// Regular user tries to access admin endpoint
const userToken = await loginAs('[email protected]');
const response = await api.delete('/api/users/all', {
headers: { Authorization: `Bearer ${userToken}` }
});
expect(response.status).toBe(403);
});
it('should validate IDOR vulnerabilities', async () => {
// Try sequential IDs to access other users' resources
const userToken = await loginAs('[email protected]');
for (let id = 1; id <= 10; id++) {
const response = await api.get(`/api/orders/${id}`, {
headers: { Authorization: `Bearer ${userToken}` }
});
// Should only access own orders, not others
if (response.status === 200) {
expect(response.data.userId).toBe('current-user-id');
}
}
});
});
describe('Security Tests: CSRF Protection', () => {
it('should require CSRF token for state-changing operations', async () => {
const response = await api.post('/api/users/delete-account', {
userId: '123'
}, {
headers: { Authorization: `Bearer ${validToken}` }
// Missing CSRF token
});
expect(response.status).toBe(403);
});
});
describe('Security Tests: Security Headers', () => {
it('should include security headers', async () => {
const response = await api.get('/');
expect(response.headers['x-frame-options']).toBeDefined();
expect(response.headers['x-content-type-options']).toBe('nosniff');
expect(response.headers['strict-transport-security']).toBeDefined();
expect(response.headers['content-security-policy']).toBeDefined();
});
});
```
## Security Report Format
```
Security Test Report
====================
Date: 2025-10-11 14:30:00
Application: API v2.0
Tests Run: 87
Vulnerabilities Found: 5
CRITICAL (1):
SQL Injection in /api/users/search
Impact: Database access, data exfiltration
PoC: ?query=' OR '1'='1'--
Fix: Use parameterized queries
HIGH (2):
Missing authentication on /api/admin endpoints
Impact: Unauthorized admin access
Fix: Add authentication middleware
Weak password policy
Impact: Account takeover via brute force
Fix: Enforce 12+ char, complexity requirements
MEDIUM (2):
Missing rate limiting on login endpoint
Impact: Brute force attacks possible
Fix: Implement rate limiting (5 attempts/minute)
Verbose error messages expose stack traces
Impact: Information disclosure
Fix: Use generic error messages in production
PASSED TESTS (82):
XSS prevention working correctly
CSRF protection enabled
Authorization checks enforced
Security headers present
Session timeout configured
HTTPS enforced
Recommendations:
1. Prioritize SQL injection fix immediately
2. Implement authentication on admin endpoints
3. Add rate limiting to prevent brute force
4. Review and update password policy
5. Disable debug mode in production
```
## Best Practices
- **Test ethically** - Only test with permission
- **Use test environments** - Never test production
- **Document findings** - Clear, actionable reports
- **Prioritize by severity** - Fix critical first
- **Verify fixes** - Retest after remediation
- **Stay updated** - Track new vulnerabilities
- **Follow responsible disclosure** - Report privately

73
plugin.lock.json Normal file
View File

@@ -0,0 +1,73 @@
{
"$schema": "internal://schemas/plugin.lock.v1.json",
"pluginId": "gh:jeremylongshore/claude-code-plugins-plus:plugins/testing/security-test-scanner",
"normalized": {
"repo": null,
"ref": "refs/tags/v20251128.0",
"commit": "62c98a09cee7da1635a5668d38ade14e2cbd34af",
"treeHash": "2de9c7990efc10487e5cdb3c2926f60b0dd7f5e28eb66de3d307b05aaf5ac446",
"generatedAt": "2025-11-28T10:18:44.795048Z",
"toolVersion": "publish_plugins.py@0.2.0"
},
"origin": {
"remote": "git@github.com:zhongweili/42plugin-data.git",
"branch": "master",
"commit": "aa1497ed0949fd50e99e70d6324a29c5b34f9390",
"repoRoot": "/Users/zhongweili/projects/openmind/42plugin-data"
},
"manifest": {
"name": "security-test-scanner",
"description": "Automated security vulnerability testing covering OWASP Top 10, SQL injection, XSS, CSRF, and authentication issues",
"version": "1.0.0"
},
"content": {
"files": [
{
"path": "README.md",
"sha256": "ea2606c3f4ae82e7bfb6bc70a8c2e910b3434efc1e5c12f3eefabc7622f221a6"
},
{
"path": "agents/security-scanner.md",
"sha256": "5b263aa37835f337317193ef0128fd2ff2c1768fd88215459637ad1836b7c94d"
},
{
"path": ".claude-plugin/plugin.json",
"sha256": "cc6ecc5aeeaba39c797cb6621bc2656766448a08a22d9c3b7ea3ca0b7b04802e"
},
{
"path": "skills/security-test-scanner/SKILL.md",
"sha256": "ccd259c2c201e901bfb88278e3039a17bc3b7c7f346cc8abf8b7e36154ced852"
},
{
"path": "skills/security-test-scanner/references/README.md",
"sha256": "fd19c687b84339d16089f869ce8767f8c5f730d9e6df4c6925262b4ee06a1ef3"
},
{
"path": "skills/security-test-scanner/scripts/README.md",
"sha256": "604f4ef2e7ad47ae86c77b09ce7c7add1703ab570c9133b974e1a93eac0ec739"
},
{
"path": "skills/security-test-scanner/assets/nmap_scan_template.sh",
"sha256": "9400ff49f9752df882d5b609827549f09b1a02fa0386747eccdf2b912d022f2b"
},
{
"path": "skills/security-test-scanner/assets/report_template.md",
"sha256": "03af67fbfa1edfe4f79b393a2bb11afe6dc87ed264bcd4fe0e82c09babd94b8a"
},
{
"path": "skills/security-test-scanner/assets/README.md",
"sha256": "ff50adeb5db8f8fed7f201bebd96b94e74cfc9e14a63b4c7e3b6f4f7dd8a5565"
},
{
"path": "skills/security-test-scanner/assets/nessus_scan_policy.xml",
"sha256": "6ef9a0af87370242f8a28936883c00f3fe970e593660a0c13ed7f2339d93ce0b"
}
],
"dirSha256": "2de9c7990efc10487e5cdb3c2926f60b0dd7f5e28eb66de3d307b05aaf5ac446"
},
"security": {
"scannedAt": null,
"scannerVersion": null,
"flags": []
}
}

55
skills/security-test-scanner/SKILL.md Normal file
View File

@@ -0,0 +1,55 @@
---
name: performing-security-testing
description: |
This skill automates security vulnerability testing. It is triggered when the user requests security assessments, penetration tests, or vulnerability scans. The skill covers OWASP Top 10 vulnerabilities, SQL injection, XSS, CSRF, authentication issues, and authorization flaws. Use this skill when the user mentions "security test", "vulnerability scan", "OWASP", "SQL injection", "XSS", "CSRF", "authentication", or "authorization" in the context of application or API testing.
allowed-tools: Read, Write, Edit, Grep, Glob, Bash
version: 1.0.0
---
## Overview
This skill enables Claude to automatically perform security vulnerability testing on applications and APIs. It leverages the security-test-scanner plugin to identify potential weaknesses and generate comprehensive reports.
## How It Works
1. **Initiate Scan**: The plugin is activated when security testing is requested.
2. **Execute Tests**: The plugin automatically runs a suite of security tests covering OWASP Top 10, injection flaws, XSS, CSRF, and authentication/authorization issues.
3. **Generate Report**: The plugin compiles the test results into a detailed report, highlighting vulnerabilities, severity ratings, and remediation steps.
## When to Use This Skill
This skill activates when you need to:
- Perform a security vulnerability scan of an application.
- Test for OWASP Top 10 vulnerabilities.
- Identify SQL injection or XSS vulnerabilities.
- Assess authentication and authorization security.
## Examples
### Example 1: OWASP Top 10 Vulnerability Scan
User request: "Perform a security test focusing on OWASP Top 10 vulnerabilities for the /api/ endpoint."
The skill will:
1. Activate the security-test-scanner plugin.
2. Execute OWASP Top 10 tests against the specified endpoint.
3. Generate a report detailing any identified vulnerabilities and their severity.
### Example 2: SQL Injection Testing
User request: "Test the API for SQL injection vulnerabilities."
The skill will:
1. Activate the security-test-scanner plugin.
2. Run SQL injection tests against the API.
3. Report any successful injection attempts.
## Best Practices
- **Scope Definition**: Clearly define the scope of the security test (e.g., specific endpoints, modules).
- **Authentication**: Provide necessary authentication credentials for testing protected resources.
- **Regular Testing**: Schedule regular security tests to identify newly introduced vulnerabilities.
## Integration
This skill can be integrated with other plugins to automatically trigger security tests as part of a CI/CD pipeline or after code changes. It also integrates with reporting tools for centralized vulnerability management.

7
skills/security-test-scanner/assets/README.md Normal file
View File

@@ -0,0 +1,7 @@
# Assets
Bundled resources for security-test-scanner skill
- [ ] nmap_scan_template.sh: Template script for running Nmap scans with various options.
- [ ] nessus_scan_policy.xml: Example Nessus scan policy for comprehensive vulnerability assessment.
- [ ] report_template.md: Markdown template for generating security test reports.

120
skills/security-test-scanner/assets/nessus_scan_policy.xml Normal file
View File

@@ -0,0 +1,120 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
Nessus Scan Policy for Comprehensive Vulnerability Assessment
This policy is designed to provide a thorough assessment of web application security,
covering OWASP Top 10 vulnerabilities, injection flaws, XSS, CSRF, and authentication/authorization issues.
Instructions:
1. Import this XML file into your Nessus scanner.
2. Configure the scan settings, including the target IP address/hostname.
3. Review and customize the enabled plugins to suit your specific needs.
4. Consider enabling thorough tests for sensitive applications.
Placeholders:
- Replace "[TARGET_HOSTNAME_OR_IP]" with the actual hostname or IP address of your target.
- Review the "Settings" section and adjust to your environment.
- Examine the "Plugins" section to enable or disable specific vulnerability checks.
-->
<Policy>
<PolicyName>Security Test Scanner - Comprehensive</PolicyName>
<PolicyDescription>Comprehensive vulnerability assessment policy covering OWASP Top 10, injection, XSS, CSRF, and authentication/authorization issues.</PolicyDescription>
<Preferences>
<ServerPreferences>
<AutoUpdate>true</AutoUpdate>
<MaxSimultaneousChecks>30</MaxSimultaneousChecks>
<ReportVerbosity>2</ReportVerbosity>
<ScanLocation>local</ScanLocation>
<StopScanOnPluginCrash>true</StopScanOnPluginCrash>
<Timeout>30</Timeout>
</ServerPreferences>
<ScanPreferences>
<CredentialedScan>false</CredentialedScan>
<ReportParanoia>Normal</ReportParanoia>
<ScanType>Thorough</ScanType>
<Target>[TARGET_HOSTNAME_OR_IP]</Target>
<PluginSet>Web App Tests</PluginSet>
<Settings>
<!-- Adjust these settings according to your environment -->
<item>
<name>SYN scan</name>
<value>yes</value>
</item>
<item>
<name>Ping before scanning</name>
<value>yes</value>
</item>
<item>
<name>Port scan range</name>
<value>default</value>
</item>
<item>
<name>Max hosts at once</name>
<value>30</value>
</item>
<item>
<name>Max checks per host</name>
<value>5</value>
</item>
<item>
<name>Safe checks</name>
<value>yes</value>
</item>
<item>
<name>Thorough tests</name>
<value>yes</value>
</item>
<item>
<name>Report Verbosity</name>
<value>2</value>
</item>
</Settings>
</ScanPreferences>
</Preferences>
<Plugins>
<!--
This section lists the enabled plugins. Review and customize based on your requirements.
Example:
<plugin>
<id>10180</id>
<family>CGI abuses</family>
<status>enabled</status>
</plugin>
-->
<!-- OWASP Top 10 -->
<plugin>
<id>57603</id>
<family>Web Servers</family>
<status>enabled</status>
</plugin>
<!-- SQL Injection -->
<plugin>
<id>22964</id>
<family>CGI abuses</family>
<status>enabled</status>
</plugin>
<!-- XSS -->
<plugin>
<id>57605</id>
<family>Web Servers</family>
<status>enabled</status>
</plugin>
<!-- CSRF -->
<plugin>
<id>58580</id>
<family>Web Servers</family>
<status>enabled</status>
</plugin>
<!-- Authentication -->
<plugin>
<id>11757</id>
<family>Authentication</family>
<status>enabled</status>
</plugin>
<!-- Add more plugins here based on your desired coverage -->
</Plugins>
<Credentials>
<!-- Add credentials if required for authenticated scanning -->
</Credentials>
</Policy>

126
skills/security-test-scanner/assets/nmap_scan_template.sh Normal file
View File

@@ -0,0 +1,126 @@
#!/bin/bash
# Script Name: nmap_scan_template.sh
# Description: Template script for running Nmap scans with various options.
# Author: [Your Name/Organization]
# Date: 2023-10-27
# Exit immediately if a command exits with a non-zero status.
set -e
# Usage Instructions:
# ./nmap_scan_template.sh <target_ip_or_hostname> [options]
#
# Options:
# -p <port(s)>: Specify port(s) to scan (e.g., -p 80,443 or -p 1-1000)
# -sV: Enable version detection
# -sS: TCP SYN scan (default)
# -sT: TCP connect scan (if SYN scan is not possible)
# -sU: UDP scan
# -O: Enable OS detection
# -A: Enable aggressive scan (OS detection, version detection, script scanning, and traceroute)
# -T<0-5>: Set timing template (0=paranoid, 1=sneaky, 2=polite, 3=normal, 4=aggressive, 5=insane)
# -oN <output_file>: Output results to a normal format file
# -oX <output_file>: Output results to an XML format file
# -h: Display this help message
# Default values
TARGET=""
PORTS=""
SCAN_TYPE=""
VERSION_DETECTION=""
OS_DETECTION=""
AGGRESSIVE_SCAN=""
TIMING_TEMPLATE=""
OUTPUT_NORMAL=""
OUTPUT_XML=""
# Function to display usage instructions
usage() {
echo "Usage: ./nmap_scan_template.sh <target_ip_or_hostname> [options]"
echo
echo "Options:"
echo " -p <port(s)>: Specify port(s) to scan (e.g., -p 80,443 or -p 1-1000)"
echo " -sV: Enable version detection"
echo " -sS: TCP SYN scan (default)"
echo " -sT: TCP connect scan (if SYN scan is not possible)"
echo " -sU: UDP scan"
echo " -O: Enable OS detection"
echo " -A: Enable aggressive scan (OS detection, version detection, script scanning, and traceroute)"
echo " -T<0-5>: Set timing template (0=paranoid, 1=sneaky, 2=polite, 3=normal, 4=aggressive, 5=insane)"
echo " -oN <output_file>: Output results to a normal format file"
echo " -oX <output_file>: Output results to an XML format file"
echo " -h: Display this help message"
exit 1
}
# Parse command-line arguments
while getopts "p:sVsTUAOTo:o:h" opt; do
case "$opt" in
p)
PORTS="-p $OPTARG"
;;
s)
VERSION_DETECTION="-sV"
;;
S)
SCAN_TYPE="-sS"
;;
T)
SCAN_TYPE="-sT"
;;
U)
SCAN_TYPE="-sU"
;;
O)
OS_DETECTION="-O"
;;
A)
AGGRESSIVE_SCAN="-A"
;;
T)
TIMING_TEMPLATE="-T$OPTARG"
;;
o)
OUTPUT_NORMAL="-oN $OPTARG"
;;
O)
OUTPUT_XML="-oX $OPTARG"
;;
h)
usage
;;
\?)
echo "Invalid option: -$OPTARG" >&2
usage
;;
:)
echo "Option -$OPTARG requires an argument." >&2
usage
;;
esac
done
# Shift off the options, leaving the arguments
shift $((OPTIND-1))
# Check for the target IP or hostname
if [ -z "$1" ]; then
echo "Error: Target IP or hostname is required."
usage
fi
TARGET="$1"
# Construct the Nmap command
NMAP_COMMAND="nmap $PORTS $SCAN_TYPE $VERSION_DETECTION $OS_DETECTION $AGGRESSIVE_SCAN $TIMING_TEMPLATE $OUTPUT_NORMAL $OUTPUT_XML $TARGET"
# Print the Nmap command (for debugging)
echo "Running command: $NMAP_COMMAND"
# Execute the Nmap command
eval $NMAP_COMMAND
echo "Nmap scan completed."
exit 0

75
skills/security-test-scanner/assets/report_template.md Normal file
View File

@@ -0,0 +1,75 @@
# Security Test Scan Report
**Report Date:** `[Insert Date]`
**Application Name:** `[Insert Application Name]`
**Application Version:** `[Insert Application Version]`
**Report Generated By:** `[Insert Your Name/Organization]`
## 1. Executive Summary
`[Provide a concise summary of the security test findings. Highlight the most critical vulnerabilities and their potential impact. For example: "This report summarizes the results of a security scan conducted on [Application Name] version [Application Version] on [Date]. The scan identified [Number] high-severity vulnerabilities, including [Example Vulnerability 1] and [Example Vulnerability 2], which require immediate attention. The overall security posture of the application is [State Security Posture - e.g., 'moderate' or 'requires improvement']."]`
## 2. Scope of Assessment
### 2.1. In-Scope Targets
`[List the URLs, APIs, or other components that were included in the security scan. Be specific. For example: "The following URLs were included in the scope of the assessment:
* https://example.com/
* https://api.example.com/v1/" ]`
### 2.2. Out-of-Scope Targets
`[List any URLs, APIs, or other components that were explicitly excluded from the security scan. For example: "The following URLs were explicitly excluded from the scope of the assessment:
* https://example.com/documentation/"]`
## 3. Methodology
`[Describe the testing methodologies used during the security scan. Mention the tools used, if applicable. For example: "The security scan was performed using a combination of automated scanning tools (e.g., [Tool Name 1], [Tool Name 2]) and manual penetration testing techniques. The assessment focused on identifying vulnerabilities related to the OWASP Top 10, SQL injection, XSS, CSRF, authentication issues, and authorization flaws."]`
## 4. Vulnerability Findings
`[For each vulnerability, provide the following information. Use the below format as a template. Repeat for each finding.]`
### 4.1. Vulnerability Title: `[Vulnerability Name - e.g., SQL Injection]`
* **Severity:** `[Critical/High/Medium/Low/Informational]`
* **OWASP Category (if applicable):** `[e.g., A1:2021-Injection]`
* **Description:** `[Detailed explanation of the vulnerability. Explain what it is and how it works. For example: "SQL injection is a vulnerability that allows attackers to execute arbitrary SQL code on the backend database. This can lead to data breaches, data manipulation, and denial of service."]`
* **Location:** `[URL or API endpoint where the vulnerability was found. Be precise. For example: "https://example.com/login.php (parameter: username)"]`
* **Proof of Concept (PoC):** `[Step-by-step instructions or the exact payload used to exploit the vulnerability. For example: "1. Navigate to https://example.com/login.php. 2. Enter the following payload in the username field: ' OR '1'='1. 3. Click 'Login'. If the application logs you in without a valid username and password, it is vulnerable to SQL injection."]`
* **Impact:** `[Explain the potential consequences of the vulnerability. For example: "Successful exploitation of this SQL injection vulnerability could allow an attacker to gain unauthorized access to the database, retrieve sensitive information (e.g., usernames, passwords, credit card details), modify data, or even execute arbitrary commands on the server."]`
* **Recommendation:** `[Provide specific steps to remediate the vulnerability. For example: "Implement parameterized queries or prepared statements to prevent SQL injection. Validate and sanitize user input before using it in SQL queries."]`
* **Evidence:** `[Include screenshots, logs, or other evidence to support the finding. This could be a screenshot of the successful SQL injection, or a log entry showing the malicious query.]`
## 5. OWASP Top 10 Coverage
`[Summarize the coverage of the OWASP Top 10 vulnerabilities. For each category, indicate whether it was tested and, if so, the results. For example:]`
* **A1:2021-Injection:** `[Tested. SQL Injection vulnerability identified (see section 4.1).]`
* **A2:2021-Broken Authentication:** `[Tested. Weak password policies detected (see section 4.x).]`
* **A3:2021-Sensitive Data Exposure:** `[Tested. No sensitive data exposure vulnerabilities identified.]`
* **A4:2021-Insecure Design:** `[Partially Tested. Limited scope in this area.]`
* **A5:2021-Security Misconfiguration:** `[Tested. Default configuration settings found (see section 4.y).]`
* **A6:2021-Vulnerable and Outdated Components:** `[Tested. Outdated library detected (see section 4.z).]`
* **A7:2021-Identification and Authentication Failures:** `[Tested. Insecure session management identified (see section 4.w).]`
* **A8:2021-Software and Data Integrity Failures:** `[Not Tested. Scope limitation.]`
* **A9:2021-Security Logging and Monitoring Failures:** `[Tested. Insufficient logging detected (see section 4.v).]`
* **A10:2021-Server-Side Request Forgery (SSRF):** `[Tested. No SSRF vulnerabilities identified.]`
## 6. Overall Risk Assessment
`[Provide an overall assessment of the application's security risk based on the findings. Consider the severity and likelihood of exploitation of the identified vulnerabilities. For example: "Based on the findings of this security scan, the overall risk level for [Application Name] is considered [High/Medium/Low]. The presence of [Number] high-severity vulnerabilities, particularly [Example Vulnerability], poses a significant threat to the confidentiality, integrity, and availability of the application and its data."]`
## 7. Recommendations
`[Provide general recommendations for improving the application's security posture. These should be broader than the individual vulnerability remediation steps. For example:]`
* `Prioritize remediation of high-severity vulnerabilities.`
* `Implement a secure development lifecycle (SDLC).`
* `Conduct regular security testing and code reviews.`
* `Provide security awareness training to developers.`
* `Establish and maintain a vulnerability management program.`
## 8. Disclaimer
`[Include a disclaimer stating the limitations of the security assessment. For example: "This security assessment was conducted based on the information available at the time of the assessment and is limited to the scope defined in section 2. The findings and recommendations presented in this report are intended to improve the security posture of the application but do not guarantee complete security. The security of an application is an ongoing process, and continuous monitoring and improvement are essential."]`

8
skills/security-test-scanner/references/README.md Normal file
View File

@@ -0,0 +1,8 @@
# References
Bundled resources for security-test-scanner skill
- [ ] owasp_top_10_2021.md: Detailed documentation on the OWASP Top 10 vulnerabilities (2021 version).
- [ ] sql_injection_cheatsheet.md: Comprehensive guide on SQL injection techniques and prevention methods.
- [ ] xss_prevention_guide.md: Detailed guide on XSS vulnerabilities and how to prevent them.
- [ ] security_testing_best_practices.md: Best practices for conducting security testing and vulnerability assessments.

7
skills/security-test-scanner/scripts/README.md Normal file
View File

@@ -0,0 +1,7 @@
# Scripts
Bundled resources for security-test-scanner skill
- [ ] security_scan.py: Automates the execution of security scans using tools like Nmap, Nessus, or custom scripts.
- [ ] report_parser.py: Parses security scan reports (e.g., Nmap XML, Nessus CSV) and extracts key findings.
- [ ] owasp_checker.py: Checks for OWASP Top 10 vulnerabilities based on scan results.