owasp-security-review
OWASP Top 10:2025 Security Review
<quick_reference>
Quick reference
| # | Category | Key risk | Avg incidence |
|---|---|---|---|
| A01 | Broken Access Control | Unauthorized data access, privilege escalation, SSRF, CSRF | 3.74% |
| A02 | Security Misconfiguration | Default creds, verbose errors, missing hardening, XXE | 3.00% |
| A03 | Software Supply Chain Failures | Vulnerable/malicious dependencies, compromised build pipelines | 5.72% |
| A04 | Cryptographic Failures | Weak algorithms, hardcoded keys, missing encryption, weak hashing | 3.80% |
| A05 | Injection | SQLi, XSS, command injection, LDAP/XPath/EL injection | 3.08% |
| A06 | Insecure Design | Missing threat modeling, business logic flaws, insufficient controls | 1.86% |
| A07 | Authentication Failures | Credential stuffing, weak passwords, session fixation, missing MFA | 2.92% |
| A08 | Software/Data Integrity Failures | Unsigned updates, insecure deserialization, untrusted CDN code | 2.75% |
| A09 | Security Logging & Alerting Failures | Missing audit logs, no alerting, log injection, sensitive data in logs | 3.91% |
| A10 | Mishandling of Exceptional Conditions | Failing open, info leakage via errors, unchecked return values | 2.95% |
Severity classification
Use these severity levels when reporting findings:
- Critical: Directly exploitable, leads to full system compromise or mass data breach (e.g., SQLi with no parameterization, hardcoded admin credentials, missing auth on admin endpoints).
- High: Exploitable with moderate effort, significant data exposure or privilege escalation (e.g., IDOR, weak password hashing, SSRF, deserialization of untrusted data).
- Medium: Exploitable under specific conditions, limited impact (e.g., missing CSRF protection, verbose error messages, missing security headers).
- Low: Defense-in-depth issue, minimal direct impact (e.g., missing rate limiting, incomplete logging, suboptimal crypto configuration).
</quick_reference>
Workflows
<phase_1_code_review>
Code review for security
Systematically check the code against each relevant category:
- Identify the code's surface area — Does it handle auth? User input? File uploads? External data? Crypto? Error responses?
- Select relevant categories from the table above based on the surface area.
- Load the reference file for each relevant category and check the code against the "What to look for" section.
- Report findings grouped by category with severity (Critical/High/Medium/Low), the specific code location, and a concrete fix.
Priority order for review (highest impact first):
[CRITICAL]Input handling code → A05 (Injection), A01 (Access Control)[CRITICAL]Auth/session code → A07 (Authentication), A01 (Access Control)[HIGH]Data storage/transmission → A04 (Cryptographic Failures)[HIGH]Configuration/deployment → A02 (Security Misconfiguration)[HIGH]Dependencies → A03 (Supply Chain)[MEDIUM]Error handling → A10 (Exceptional Conditions), A09 (Logging)[MEDIUM]Architecture/design → A06 (Insecure Design)[MEDIUM]Data integrity → A08 (Integrity Failures) </phase_1_code_review>
<phase_2_audit_checklist>
Security audit checklist
Generate a checklist for a feature or codebase:
- Read the feature/codebase to understand its scope.
- For each of the 10 categories, determine if it applies.
- For applicable categories, load the reference file and produce a checklist of items to verify.
- Output a markdown checklist grouped by category. </phase_2_audit_checklist>
<phase_3_remediation>
Remediation guidance
When a vulnerability is identified:
- Classify it into the correct OWASP category.
- Load the corresponding reference file.
- Apply the prevention checklist to produce a specific, actionable fix.
- Provide a code example of the fix when possible. </phase_3_remediation>
Reference files
Load the relevant file when you need detailed guidance for a specific category:
- A01 Broken Access Control — authorization checks, IDOR, CORS, CSRF, path traversal: references/a01-broken-access-control.md
- A02 Security Misconfiguration — hardening, default creds, error messages, headers, XXE: references/a02-security-misconfiguration.md
- A03 Supply Chain Failures — dependency management, SBOM, build pipeline security: references/a03-supply-chain-failures.md
- A04 Cryptographic Failures — encryption, hashing, key management, TLS, PRNG: references/a04-cryptographic-failures.md
- A05 Injection — SQL, XSS, command, ORM, LDAP, template injection: references/a05-injection.md
- A06 Insecure Design — threat modeling, business logic, secure SDLC: references/a06-insecure-design.md
- A07 Authentication Failures — credential stuffing, MFA, session management, password policy: references/a07-authentication-failures.md
- A08 Integrity Failures — deserialization, code signing, untrusted sources, CDN trust: references/a08-integrity-failures.md
- A09 Logging & Alerting — audit trails, log injection, alerting, sensitive data in logs: references/a09-logging-alerting-failures.md
- A10 Exceptional Conditions — error handling, fail-closed, resource cleanup, info leakage: references/a10-exceptional-conditions.md
More from jgamaraalv/ts-dev-kit
bullmq
BullMQ queue system reference for Redis-backed job queues, workers, flows, and schedulers. Use when: (1) creating queues and workers with BullMQ, (2) adding jobs (delayed, prioritized, repeatable, deduplicated), (3) setting up FlowProducer parent-child job hierarchies, (4) configuring retry strategies, rate limiting, or concurrency, (5) implementing job schedulers with cron/interval patterns, (6) preparing BullMQ for production (graceful shutdown, Redis config, monitoring), or (7) debugging stalled jobs or connection issues
46ioredis
ioredis v5 reference for Node.js Redis client — connection setup, RedisOptions, pipelines, transactions, Pub/Sub, Lua scripting, Cluster, and Sentinel. Use when: (1) creating or configuring Redis connections (standalone, cluster, sentinel), (2) writing Redis commands with ioredis (get/set, pipelines, multi/exec), (3) setting up Pub/Sub or Streams, (4) configuring retryStrategy, TLS, or auto-pipelining, (5) working with Redis Cluster options (scaleReads, NAT mapping), or (6) debugging ioredis connection issues. Important: use named import `import { Redis } from 'ioredis'` for correct TypeScript types with NodeNext.
35nextjs-best-practices
Next.js App Router best practices — file conventions, RSC boundaries, data patterns, async APIs, metadata, error handling, route handlers, image/font optimization, bundling. Use when writing, reviewing, or debugging Next.js App Router code.
29ui-ux-guidelines
Review UI code for Web Interface Guidelines compliance. Use when asked to review UI, check accessibility, audit design, review UX, or check against best practices.
26service-worker
Service Worker API implementation guide — registration, lifecycle management, caching strategies, push notifications, and background sync. Use when: (1) creating or modifying service worker files (sw.js), (2) implementing offline-first caching (cache-first, network-first, stale-while-revalidate), (3) setting up push notifications or background sync, (4) debugging service worker registration, scope, or update issues, (5) implementing navigation preload, (6) user mentions 'service worker', 'sw.js', 'offline support', 'cache strategy', 'push notification', 'background sync', 'workbox alternative', or 'PWA caching'.
25composition-patterns
React composition patterns that scale. Use when refactoring components with boolean prop proliferation, building flexible component libraries, or designing reusable APIs. Triggers on tasks involving compound components, render props, context providers, or component architecture. Includes React 19 API changes.
23