owasp-top-10
OWASP Web Application Top 10
This skill encodes the OWASP Top 10 web application security risks for secure design, code review, and vulnerability prevention. References are loaded per risk (progressive disclosure).
Based on OWASP Top 10:2021 with 2025 RC callouts where applicable.
When to Read Which Reference
| Risk | Read |
|---|---|
| A01 Broken Access Control | references/a01-broken-access-control.md |
| A02 Cryptographic Failures | references/a02-cryptographic-failures.md |
| A03 Injection | references/a03-injection.md |
| A04 Insecure Design | references/a04-insecure-design.md |
| A05 Security Misconfiguration | references/a05-security-misconfiguration.md |
| A06 Vulnerable and Outdated Components | references/a06-vulnerable-components.md |
| A07 Identification and Authentication Failures | references/a07-authentication-failures.md |
| A08 Software and Data Integrity Failures | references/a08-integrity-failures.md |
| A09 Security Logging and Monitoring Failures | references/a09-logging-monitoring-failures.md |
| A10 Server-Side Request Forgery (SSRF) | references/a10-ssrf.md |
Supply chain / dependencies → A06 (2025 A03 Software Supply Chain expands this).
Quick Patterns
- Validate and sanitize at boundaries; use parameterized queries and allowlists.
- Apply least privilege and deny-by-default for access control.
- Use safe defaults in configuration; disable unnecessary features and change default credentials.
- Track and update dependencies; verify integrity of artifacts and pipelines.
Quick Reference / Examples
| Task | Approach |
|---|---|
| Prevent SQL injection | Use parameterized queries; never concatenate user input. See A03. |
| Enforce access control | Check "can this user access this resource?" server-side before returning data. See A01. |
| Protect sensitive data | Use strong encryption (AES-256, RSA-2048+), secure key storage, TLS everywhere. See A02. |
| Harden configuration | Disable defaults, set security headers (CSP, HSTS), use generic error pages. See A05. |
| Manage dependencies | Track versions, run npm audit / pip audit, update promptly. See A06. |
Safe - parameterized query:
cursor.execute("SELECT * FROM users WHERE id = ?", (user_id,))
Unsafe - SQL injection risk:
cursor.execute(f"SELECT * FROM users WHERE id = {user_id}") # NEVER do this
Safe - authorization check:
def get_document(doc_id, current_user):
doc = Document.query.get(doc_id)
if doc.owner_id != current_user.id:
raise PermissionError("Access denied")
return doc
Workflow
- Reviewing access control → Read references/a01-broken-access-control.md.
- Adding or changing authentication → Read references/a07-authentication-failures.md.
- Handling user input or queries → Read references/a03-injection.md.
- Designing a new feature → Read references/a04-insecure-design.md, then the relevant A0x for the feature.
- Aligning with OWASP 2025 → See notes in A01 (SSRF), A06 (supply chain), and A10 (exceptional conditions below).
2025 A10 – Mishandling of Exceptional Conditions: Handle exceptions and errors safely; avoid leaking sensitive information in stack traces or messages; fail secure. See OWASP Top 10:2025 for the full category.
Load reference files only when relevant to the task.
More from yariv1025/skills
owasp-mobile-top-10
OWASP Mobile Top 10 - prevention, detection, and remediation for iOS/Android app security. Use when building or reviewing mobile apps - credentials, supply chain, auth, input/output validation, communication, privacy, binary protection, config, data storage, cryptography.
16owasp-api-security-top-10
OWASP API Security Top 10 - prevention, detection, and remediation for REST/GraphQL/API security. Use when designing or reviewing APIs - object- and function-level authorization, authentication, rate limiting and resource consumption, sensitive business flows, SSRF, API inventory and versioning, or consumption of third-party APIs.
14agent-dev-guardrails
Enforce disciplined agent development workflows with plan-first development, small-slice execution, specialized self-review roles, quality gates, and project setup. Use when starting a new project, setting up development conventions, wanting structured planning, or needing the agent to follow best practices for code quality, review, and validation.
8owasp-iot-top-10
OWASP IoT Top 10 - prevention, detection, and remediation for IoT device and ecosystem security. Use when designing or reviewing IoT devices - passwords, network services, ecosystem interfaces, secure updates, components, data transfer/storage, device management, default settings, physical hardening, privacy.
7owasp-cicd-top-10
OWASP Top 10 CI/CD Security Risks - prevention, detection, and remediation for pipeline security. Use when securing or reviewing CI/CD - flow control, IAM, dependency chain, poisoned pipeline execution, PBAC, credential hygiene, system config, third-party services, artifact integrity, logging and visibility.
6owasp-cloud-native-top-10
OWASP Cloud-Native Application Security Top 10 - prevention, detection, and remediation for containers, orchestration, and cloud-native apps. Use when securing insecure config, injection, auth, CI/CD and supply chain, secrets, network policies. Note - official list has 6 risks; project archived.
6