ReddRadar
Agent skill
owasp-security-scanner
Automated OWASP Top 10 vulnerability detection and assessment. Run OWASP ZAP automated scans, detect injection vulnerabilities, identify broken authentication patterns, check for sensitive data exposure, analyze security misconfigurations, and generate OWASP-compliant reports.
Install this agent skill to your Project
npx add-skill https://github.com/a5c-ai/babysitter/tree/main/library/specializations/security-compliance/skills/owasp-security-scanner
Metadata
Additional technical details for this skill
- author
- babysitter-sdk
- version
- 1.0.0
- category
- security-testing
- backlog id
- SK-SEC-001
SKILL.md
owasp-security-scanner
You are owasp-security-scanner - a specialized skill for automated OWASP Top 10 vulnerability detection and assessment. This skill provides comprehensive capabilities for identifying web application security vulnerabilities based on OWASP guidelines.
Overview
This skill enables AI-powered OWASP security scanning including:
- OWASP ZAP automated and manual scanning
- OWASP Top 10 2021 vulnerability detection
- Injection vulnerability testing (SQL, XSS, LDAP, Command)
- Broken authentication and session management analysis
- Sensitive data exposure detection
- Security misconfiguration identification
- OWASP-compliant report generation
Prerequisites
- OWASP ZAP installed (GUI or headless)
- Target application URL (web application)
- Optional: Authentication credentials for authenticated scanning
- Optional: OpenAPI/Swagger specification for API scanning
Capabilities
1. OWASP ZAP Baseline Scan
Quick passive scan for common vulnerabilities:
# Docker-based baseline scan
docker run -t ghcr.io/zaproxy/zaproxy:stable zap-baseline.py \
-t https://target.example.com \
-J baseline-report.json
# With configuration file
docker run -v $(pwd):/zap/wrk:rw -t ghcr.io/zaproxy/zaproxy:stable zap-baseline.py \
-t https://target.example.com \
-c zap-baseline.conf \
-J baseline-report.json
# Include AJAX spider for JavaScript-heavy apps
docker run -t ghcr.io/zaproxy/zaproxy:stable zap-baseline.py \
-t https://target.example.com \
-j \
-J baseline-report.json
2. OWASP ZAP Full Scan
Comprehensive active scanning:
# Full scan (includes active scanning)
docker run -t ghcr.io/zaproxy/zaproxy:stable zap-full-scan.py \
-t https://target.example.com \
-J full-scan-report.json
# Full scan with longer timeout
docker run -t ghcr.io/zaproxy/zaproxy:stable zap-full-scan.py \
-t https://target.example.com \
-m 60 \
-J full-scan-report.json
# Scan with custom policy
docker run -v $(pwd):/zap/wrk:rw -t ghcr.io/zaproxy/zaproxy:stable zap-full-scan.py \
-t https://target.example.com \
-z "-config scanner.strength=INSANE" \
-J full-scan-report.json
3. OWASP ZAP API Scan
For REST/GraphQL API testing:
# Scan with OpenAPI spec
docker run -v $(pwd):/zap/wrk:rw -t ghcr.io/zaproxy/zaproxy:stable zap-api-scan.py \
-t openapi.yaml \
-f openapi \
-J api-scan-report.json
# Scan with GraphQL schema
docker run -v $(pwd):/zap/wrk:rw -t ghcr.io/zaproxy/zaproxy:stable zap-api-scan.py \
-t https://api.example.com/graphql \
-f graphql \
-J graphql-scan-report.json
# API scan with auth header
docker run -t ghcr.io/zaproxy/zaproxy:stable zap-api-scan.py \
-t https://api.example.com/openapi.json \
-f openapi \
-z "-config replacer.full_list(0).description=auth \
-config replacer.full_list(0).enabled=true \
-config replacer.full_list(0).matchtype=REQ_HEADER \
-config replacer.full_list(0).matchstr=Authorization \
-config replacer.full_list(0).replacement='Bearer TOKEN'" \
-J api-scan-report.json
4. Authenticated Scanning
# Form-based authentication
docker run -t ghcr.io/zaproxy/zaproxy:stable zap-full-scan.py \
-t https://target.example.com \
-z "-config authentication.method=formBasedAuthentication \
-config authentication.loginUrl=https://target.example.com/login \
-config authentication.username=testuser \
-config authentication.password=testpass" \
-J auth-scan-report.json
# Session token authentication
# Create context file first
docker run -v $(pwd):/zap/wrk:rw -t ghcr.io/zaproxy/zaproxy:stable zap-full-scan.py \
-t https://target.example.com \
-n context.context \
-J auth-scan-report.json
5. OWASP Top 10 2021 Detection
A01:2021 - Broken Access Control
# ZAP rules for access control testing
# Active scan policy focusing on access control
zap-cli active-scan \
--scanpolicyname "access-control" \
--recurse \
https://target.example.com
# Manual testing for IDOR
# Test parameter manipulation
curl -H "Authorization: Bearer $TOKEN" \
"https://api.example.com/users/123" # Should only access own user
curl -H "Authorization: Bearer $TOKEN" \
"https://api.example.com/users/456" # Test IDOR
A02:2021 - Cryptographic Failures
# SSL/TLS analysis with testssl.sh
docker run -it drwetter/testssl.sh https://target.example.com
# Check for weak ciphers
nmap --script ssl-enum-ciphers -p 443 target.example.com
# ZAP passive rules detect:
# - Missing HSTS
# - Weak SSL/TLS
# - Mixed content
# - Insecure cookies
A03:2021 - Injection
# ZAP includes comprehensive injection testing:
# - SQL Injection
# - XSS (Reflected, Stored, DOM-based)
# - LDAP Injection
# - OS Command Injection
# - XML Injection
# SQLMap for advanced SQL injection
sqlmap -u "https://target.example.com/search?q=test" --batch --forms
A04:2021 - Insecure Design
Design-level security review checklist:
- Threat modeling completed
- Security requirements documented
- Secure design patterns used
- Defense in depth implemented
A05:2021 - Security Misconfiguration
# ZAP detects:
# - Default credentials
# - Unnecessary features enabled
# - Error handling exposing info
# - Missing security headers
# Additional header checks
curl -I https://target.example.com | grep -i "x-frame-options\|content-security-policy\|x-content-type-options"
A06:2021 - Vulnerable Components
# Retire.js for JavaScript libraries
retire --js --path ./public/js --outputformat json
# ZAP includes vulnerable library detection
# Also use dependency-scanner skill for comprehensive SCA
A07:2021 - Authentication Failures
ZAP authentication testing includes:
- Brute force protection
- Session management
- Password policies
- Multi-factor authentication bypass
A08:2021 - Software and Data Integrity Failures
Checks for:
- CI/CD pipeline security
- Unsigned updates
- Deserialization vulnerabilities
A09:2021 - Security Logging Failures
Review:
- Audit logging implementation
- Log injection vulnerabilities
- Log storage security
A10:2021 - Server-Side Request Forgery
# ZAP SSRF detection through active scanning
# Manual testing
curl "https://target.example.com/fetch?url=http://169.254.169.254/latest/meta-data/"
6. Report Generation
JSON Report
{
"@version": "2.14.0",
"@generated": "2026-01-24T10:00:00Z",
"site": [{
"@name": "https://target.example.com",
"alerts": [{
"pluginid": "10021",
"alertRef": "10021",
"alert": "X-Content-Type-Options Header Missing",
"name": "X-Content-Type-Options Header Missing",
"riskcode": "1",
"confidence": "2",
"riskdesc": "Low (Medium)",
"cweid": "693",
"wascid": "15",
"description": "The Anti-MIME-Sniffing header...",
"solution": "Ensure that the application sets the Content-Type header appropriately...",
"reference": "https://owasp.org/...",
"instances": [{
"uri": "https://target.example.com/",
"method": "GET",
"param": "X-Content-Type-Options"
}]
}]
}]
}
HTML Report
# Generate HTML report
docker run -v $(pwd):/zap/wrk:rw -t ghcr.io/zaproxy/zaproxy:stable zap-baseline.py \
-t https://target.example.com \
-r owasp-report.html
MCP Server Integration
This skill can leverage the following MCP servers:
| Server | Description | Installation |
|---|---|---|
| ZAP-MCP | AI-powered OWASP ZAP integration | GitHub |
| mcp-zap-server | Spring Boot ZAP MCP server | GitHub |
| pentestMCP | 20+ tools including ZAP | GitHub |
ZAP-MCP Features
- Automated scan initiation
- Result parsing and analysis
- AI-powered vulnerability assessment
- Remediation guidance generation
Best Practices
Scanning Strategy
- Baseline First - Start with passive baseline scan
- Scope Definition - Define clear target scope
- Authentication - Configure proper auth for full coverage
- Rate Limiting - Respect target rate limits
- Exclude Sensitive - Exclude logout, delete, payment endpoints
Scan Configuration
# zap-baseline.conf
# Format: rule_id action parameter
10021 WARN # X-Content-Type-Options
10038 WARN # CSP Header Missing
10098 WARN # Cross-Domain Misconfiguration
40012 FAIL # Cross Site Scripting (Reflected)
40014 FAIL # Cross Site Scripting (Persistent)
40018 FAIL # SQL Injection
CI/CD Integration
# GitHub Actions example
name: OWASP Security Scan
on: [push, pull_request]
jobs:
zap-scan:
runs-on: ubuntu-latest
steps:
- name: ZAP Baseline Scan
uses: zaproxy/action-baseline@v0.10.0
with:
target: 'https://staging.example.com'
rules_file_name: '.zap-rules.tsv'
- name: Upload Report
uses: actions/upload-artifact@v3
with:
name: zap-report
path: report_html.html
Process Integration
This skill integrates with the following processes:
dast-scanning.js- Dynamic security testing pipelinepenetration-testing.js- Comprehensive pen testingsecurity-assessment.js- Security assessment workflowdevsecops-pipeline.js- DevSecOps automation
Output Format
When executing operations, provide structured output:
{
"operation": "owasp-scan",
"scan_type": "full",
"status": "completed",
"target": "https://target.example.com",
"scan_duration_seconds": 1845,
"summary": {
"total_alerts": 45,
"by_risk": {
"high": 3,
"medium": 12,
"low": 18,
"informational": 12
},
"owasp_coverage": {
"A01_Broken_Access_Control": 2,
"A02_Cryptographic_Failures": 1,
"A03_Injection": 5,
"A05_Security_Misconfiguration": 8,
"A06_Vulnerable_Components": 3,
"A07_Auth_Failures": 2
}
},
"high_priority_findings": [
{
"name": "SQL Injection",
"risk": "high",
"owasp": "A03:2021",
"cwe": "CWE-89",
"url": "https://target.example.com/search",
"parameter": "query",
"evidence": "Error message: SQL syntax error"
}
],
"artifacts": ["full-scan-report.json", "owasp-report.html"]
}
Error Handling
Common Issues
| Error | Cause | Resolution |
|---|---|---|
Connection refused |
Target not reachable | Verify target URL and network |
Authentication failed |
Invalid credentials | Check auth configuration |
Scan timeout |
Large application | Increase timeout or scope |
Rate limited |
Too aggressive | Adjust scan speed settings |
Constraints
- Always obtain proper authorization before scanning
- Never scan production systems without approval
- Configure appropriate scan speeds for target infrastructure
- Exclude destructive actions (logout, delete) from scope
- Respect rate limits and server capacity
- Document all findings with remediation guidance
Recommended Agent Skills
Expand your agent's capabilities with these related and highly-rated skills.
a5c-ai/babysitter
gsd-tools
Central utility skill for GSD operations. Provides config parsing, slug generation, timestamps, path operations, and orchestrates calls to other specialized skills. Acts as the unified entry point that the original gsd-tools.cjs provided via its lib/ modules (commands, config, core, init).
a5c-ai/babysitter
model-profile-resolution
Resolve model profile (quality/balanced/budget) at orchestration start and map agents to specific models. Enables cost/quality tradeoffs by selecting appropriate AI models for each agent role.
a5c-ai/babysitter
verification-suite
Plan structure validation, phase completeness checks, reference integrity verification, and artifact existence confirmation. Provides the structured verification layer ensuring GSD artifacts are well-formed and complete.
a5c-ai/babysitter
state-management
STATE.md reading, writing, and field-level updates. Provides cross-session state persistence via .planning/STATE.md with structured fields for current task, completed phases, blockers, decisions, and quick tasks.
a5c-ai/babysitter
git-integration
Git commit patterns, formats, and conventions for GSD methodology. Provides atomic commits per task, structured commit messages, planning file commits, branch management, and milestone tag operations.
a5c-ai/babysitter
frontmatter-parsing
YAML frontmatter parsing and manipulation for .planning/ documents. Provides read, write, update, query, and validation operations on frontmatter blocks in GSD markdown artifacts.
Didn't find tool you were looking for?