{"id":"0ed4162b-bb1e-4e91-ba56-02ce7190cbe8","shortId":"h8JR6T","kind":"skill","title":"web-security-testing","tagline":"Web application security testing workflow for OWASP Top 10 vulnerabilities including injection, XSS, authentication flaws, and access control issues.","description":"# Web Security Testing Workflow\n\n## Overview\n\nSpecialized workflow for testing web applications against OWASP Top 10 vulnerabilities including injection attacks, XSS, broken authentication, and access control issues.\n\n## When to Use This Workflow\n\nUse this workflow when:\n- Testing web application security\n- Performing OWASP Top 10 assessment\n- Conducting penetration tests\n- Validating security controls\n- Bug bounty hunting\n\n## Workflow Phases\n\n### Phase 1: Reconnaissance\n\n#### Skills to Invoke\n- `scanning-tools` - Security scanning\n- `top-web-vulnerabilities` - OWASP knowledge\n\n#### Actions\n1. Map application surface\n2. Identify technologies\n3. Discover endpoints\n4. Find subdomains\n5. Document findings\n\n#### Copy-Paste Prompts\n```\nUse @scanning-tools to perform web application reconnaissance\n```\n\n### Phase 2: Injection Testing\n\n#### Skills to Invoke\n- `sql-injection-testing` - SQL injection\n- `sqlmap-database-pentesting` - SQLMap\n\n#### Actions\n1. Test SQL injection\n2. Test NoSQL injection\n3. Test command injection\n4. Test LDAP injection\n5. Document vulnerabilities\n\n#### Copy-Paste Prompts\n```\nUse @sql-injection-testing to test for SQL injection\n```\n\n```\nUse @sqlmap-database-pentesting to automate SQL injection testing\n```\n\n### Phase 3: XSS Testing\n\n#### Skills to Invoke\n- `xss-html-injection` - XSS testing\n- `html-injection-testing` - HTML injection\n\n#### Actions\n1. Test reflected XSS\n2. Test stored XSS\n3. Test DOM-based XSS\n4. Test XSS filters\n5. Document findings\n\n#### Copy-Paste Prompts\n```\nUse @xss-html-injection to test for cross-site scripting\n```\n\n### Phase 4: Authentication Testing\n\n#### Skills to Invoke\n- `broken-authentication` - Authentication testing\n\n#### Actions\n1. Test credential stuffing\n2. Test brute force protection\n3. Test session management\n4. Test password policies\n5. Test MFA implementation\n\n#### Copy-Paste Prompts\n```\nUse @broken-authentication to test authentication security\n```\n\n### Phase 5: Access Control Testing\n\n#### Skills to Invoke\n- `idor-testing` - IDOR testing\n- `file-path-traversal` - Path traversal\n\n#### Actions\n1. Test vertical privilege escalation\n2. Test horizontal privilege escalation\n3. Test IDOR vulnerabilities\n4. Test directory traversal\n5. Test unauthorized access\n\n#### Copy-Paste Prompts\n```\nUse @idor-testing to test for insecure direct object references\n```\n\n```\nUse @file-path-traversal to test for path traversal\n```\n\n### Phase 6: Security Headers\n\n#### Skills to Invoke\n- `api-security-best-practices` - Security headers\n\n#### Actions\n1. Check CSP implementation\n2. Verify HSTS configuration\n3. Test X-Frame-Options\n4. Check X-Content-Type-Options\n5. Verify referrer policy\n\n#### Copy-Paste Prompts\n```\nUse @api-security-best-practices to audit security headers\n```\n\n### Phase 7: Reporting\n\n#### Skills to Invoke\n- `reporting-standards` - Security reporting\n\n#### Actions\n1. Document vulnerabilities\n2. Assess risk levels\n3. Provide remediation\n4. Create proof of concept\n5. Generate report\n\n#### Copy-Paste Prompts\n```\nUse @reporting-standards to create security report\n```\n\n## OWASP Top 10 Checklist\n\n- [ ] A01: Broken Access Control\n- [ ] A02: Cryptographic Failures\n- [ ] A03: Injection\n- [ ] A04: Insecure Design\n- [ ] A05: Security Misconfiguration\n- [ ] A06: Vulnerable Components\n- [ ] A07: Authentication Failures\n- [ ] A08: Software/Data Integrity\n- [ ] A09: Logging/Monitoring\n- [ ] A10: SSRF\n\n## Quality Gates\n\n- [ ] All OWASP Top 10 tested\n- [ ] Vulnerabilities documented\n- [ ] Proof of concepts captured\n- [ ] Remediation provided\n- [ ] Report generated\n\n## Related Workflow Bundles\n\n- `security-audit` - Security auditing\n- `api-security-testing` - API security\n- `wordpress-security` - WordPress security\n\n## Limitations\n- Use this skill only when the task clearly matches the scope described above.\n- Do not treat the output as a substitute for environment-specific validation, testing, or expert review.\n- Stop and ask for clarification if required inputs, permissions, safety boundaries, or success criteria are missing.","tags":["web","security","testing","antigravity","awesome","skills","sickn33","agent-skills","agentic-skills","ai-agent-skills","ai-agents","ai-coding"],"capabilities":["skill","source-sickn33","skill-web-security-testing","topic-agent-skills","topic-agentic-skills","topic-ai-agent-skills","topic-ai-agents","topic-ai-coding","topic-ai-workflows","topic-antigravity","topic-antigravity-skills","topic-claude-code","topic-claude-code-skills","topic-codex-cli","topic-codex-skills"],"categories":["antigravity-awesome-skills"],"synonyms":[],"warnings":[],"endpointUrl":"https://skills.sh/sickn33/antigravity-awesome-skills/web-security-testing","protocol":"skill","transport":"skills-sh","auth":{"type":"none","details":{"cli":"npx skills add sickn33/antigravity-awesome-skills","source_repo":"https://github.com/sickn33/antigravity-awesome-skills","install_from":"skills.sh"}},"qualityScore":"0.700","qualityRationale":"deterministic score 0.70 from registry signals: · indexed on github topic:agent-skills · 34404 github stars · SKILL.md body (4,028 chars)","verified":false,"liveness":"unknown","lastLivenessCheck":null,"agentReviews":{"count":0,"score_avg":null,"cost_usd_avg":null,"success_rate":null,"latency_p50_ms":null,"narrative_summary":null,"summary_updated_at":null},"enrichmentModel":"deterministic:skill-github:v1","enrichmentVersion":1,"enrichedAt":"2026-04-22T00:51:57.889Z","embedding":null,"createdAt":"2026-04-18T21:47:25.935Z","updatedAt":"2026-04-22T00:51:57.889Z","lastSeenAt":"2026-04-22T00:51:57.889Z","tsv":"'1':80,97,145,208,258,311,373,424 '10':13,38,66,456,491 '2':101,127,149,212,262,316,377,427 '3':104,153,189,216,267,321,381,431 '4':107,157,222,246,271,325,387,434 '5':110,161,226,275,292,329,394,439 '6':359 '7':413 'a01':458 'a02':462 'a03':465 'a04':467 'a05':470 'a06':473 'a07':476 'a08':479 'a09':482 'a10':484 'access':21,47,293,332,460 'action':96,144,207,257,310,372,423 'api':366,404,512,515 'api-security-best-practic':365,403 'api-security-test':511 'applic':6,34,61,99,124 'ask':555 'assess':67,428 'attack':42 'audit':409,508,510 'authent':18,45,247,254,255,286,289,477 'autom':184 'base':220 'best':368,406 'boundari':563 'bounti':75 'broken':44,253,285,459 'broken-authent':252,284 'brute':264 'bug':74 'bundl':505 'captur':498 'check':374,388 'checklist':457 'clarif':557 'clear':530 'command':155 'compon':475 'concept':438,497 'conduct':68 'configur':380 'content':391 'control':22,48,73,294,461 'copi':114,165,230,280,334,399,443 'copy-past':113,164,229,279,333,398,442 'creat':435,451 'credenti':260 'criteria':566 'cross':242 'cross-sit':241 'cryptograph':463 'csp':375 'databas':141,181 'describ':534 'design':469 'direct':345 'directori':327 'discov':105 'document':111,162,227,425,494 'dom':219 'dom-bas':218 'endpoint':106 'environ':546 'environment-specif':545 'escal':315,320 'expert':551 'failur':464,478 'file':305,350 'file-path-travers':304,349 'filter':225 'find':108,112,228 'flaw':19 'forc':265 'frame':385 'gate':487 'generat':440,502 'header':361,371,411 'horizont':318 'hsts':379 'html':197,202,205,236 'html-injection-test':201 'hunt':76 'identifi':102 'idor':300,302,323,339 'idor-test':299,338 'implement':278,376 'includ':15,40 'inject':16,41,128,135,138,148,152,156,160,171,177,186,198,203,206,237,466 'input':560 'insecur':344,468 'integr':481 'invok':84,132,194,251,298,364,417 'issu':23,49 'knowledg':95 'ldap':159 'level':430 'limit':522 'logging/monitoring':483 'manag':270 'map':98 'match':531 'mfa':277 'misconfigur':472 'miss':568 'nosql':151 'object':346 'option':386,393 'output':540 'overview':28 'owasp':11,36,64,94,454,489 'password':273 'past':115,166,231,281,335,400,444 'path':306,308,351,356 'penetr':69 'pentest':142,182 'perform':63,122 'permiss':561 'phase':78,79,126,188,245,291,358,412 'polici':274,397 'practic':369,407 'privileg':314,319 'prompt':116,167,232,282,336,401,445 'proof':436,495 'protect':266 'provid':432,500 'qualiti':486 'reconnaiss':81,125 'refer':347 'referr':396 'reflect':210 'relat':503 'remedi':433,499 'report':414,419,422,441,448,453,501 'reporting-standard':418,447 'requir':559 'review':552 'risk':429 'safeti':562 'scan':86,89,119 'scanning-tool':85,118 'scope':533 'script':244 'secur':3,7,25,62,72,88,290,360,367,370,405,410,421,452,471,507,509,513,516,519,521 'security-audit':506 'session':269 'site':243 'skill':82,130,192,249,296,362,415,525 'skill-web-security-testing' 'software/data':480 'source-sickn33' 'special':29 'specif':547 'sql':134,137,147,170,176,185 'sql-injection-test':133,169 'sqlmap':140,143,180 'sqlmap-database-pentest':139,179 'ssrf':485 'standard':420,449 'stop':553 'store':214 'stuf':261 'subdomain':109 'substitut':543 'success':565 'surfac':100 'task':529 'technolog':103 'test':4,8,26,32,59,70,129,136,146,150,154,158,172,174,187,191,200,204,209,213,217,223,239,248,256,259,263,268,272,276,288,295,301,303,312,317,322,326,330,340,342,354,382,492,514,549 'tool':87,120 'top':12,37,65,91,455,490 'top-web-vulner':90 'topic-agent-skills' 'topic-agentic-skills' 'topic-ai-agent-skills' 'topic-ai-agents' 'topic-ai-coding' 'topic-ai-workflows' 'topic-antigravity' 'topic-antigravity-skills' 'topic-claude-code' 'topic-claude-code-skills' 'topic-codex-cli' 'topic-codex-skills' 'travers':307,309,328,352,357 'treat':538 'type':392 'unauthor':331 'use':52,55,117,168,178,233,283,337,348,402,446,523 'valid':71,548 'verifi':378,395 'vertic':313 'vulner':14,39,93,163,324,426,474,493 'web':2,5,24,33,60,92,123 'web-security-test':1 'wordpress':518,520 'wordpress-secur':517 'workflow':9,27,30,54,57,77,504 'x':384,390 'x-content-type-opt':389 'x-frame-opt':383 'xss':17,43,190,196,199,211,215,221,224,235 'xss-html-inject':195,234","prices":[{"id":"0d0598f7-24e6-47f4-b74e-035834b46f5b","listingId":"0ed4162b-bb1e-4e91-ba56-02ce7190cbe8","amountUsd":"0","unit":"free","nativeCurrency":null,"nativeAmount":null,"chain":null,"payTo":null,"paymentMethod":"skill-free","isPrimary":true,"details":{"org":"sickn33","category":"antigravity-awesome-skills","install_from":"skills.sh"},"createdAt":"2026-04-18T21:47:25.935Z"}],"sources":[{"listingId":"0ed4162b-bb1e-4e91-ba56-02ce7190cbe8","source":"github","sourceId":"sickn33/antigravity-awesome-skills/web-security-testing","sourceUrl":"https://github.com/sickn33/antigravity-awesome-skills/tree/main/skills/web-security-testing","isPrimary":false,"firstSeenAt":"2026-04-18T21:47:25.935Z","lastSeenAt":"2026-04-22T00:51:57.889Z"}],"details":{"listingId":"0ed4162b-bb1e-4e91-ba56-02ce7190cbe8","quickStartSnippet":null,"exampleRequest":null,"exampleResponse":null,"schema":null,"openapiUrl":null,"agentsTxtUrl":null,"citations":[],"useCases":[],"bestFor":[],"notFor":[],"kindDetails":{"org":"sickn33","slug":"web-security-testing","github":{"repo":"sickn33/antigravity-awesome-skills","stars":34404,"topics":["agent-skills","agentic-skills","ai-agent-skills","ai-agents","ai-coding","ai-workflows","antigravity","antigravity-skills","claude-code","claude-code-skills","codex-cli","codex-skills","cursor","cursor-skills","developer-tools","gemini-cli","gemini-skills","kiro","mcp","skill-library"],"license":"mit","html_url":"https://github.com/sickn33/antigravity-awesome-skills","pushed_at":"2026-04-21T16:43:40Z","description":"Installable GitHub library of 1,400+ agentic skills for Claude Code, Cursor, Codex CLI, Gemini CLI, Antigravity, and more. Includes installer CLI, bundles, workflows, and official/community skill collections.","skill_md_sha":"1741e03901e06817ebf18777c0ee06c635d3248a","skill_md_path":"skills/web-security-testing/SKILL.md","default_branch":"main","skill_tree_url":"https://github.com/sickn33/antigravity-awesome-skills/tree/main/skills/web-security-testing"},"layout":"multi","source":"github","category":"antigravity-awesome-skills","frontmatter":{"name":"web-security-testing","description":"Web application security testing workflow for OWASP Top 10 vulnerabilities including injection, XSS, authentication flaws, and access control issues."},"skills_sh_url":"https://skills.sh/sickn33/antigravity-awesome-skills/web-security-testing"},"updatedAt":"2026-04-22T00:51:57.889Z"}}