Z
zebbern
@mayurrathi
⭐ 40.7k GitHub stars

Top Web Vulnerabilities

Top Web Vulnerabilities is an code AI skill with a core value of This skill should be used when the user asks to \"identify web application vulnerabilities\", \"explain common security flaws\", \"understand vulnerability categories\", \"learn about inject. It helps developers solve real-world problems in the code domain, boosting efficiency, automating repetitive tasks, and optimizing workflows.

This skill should be used when the user asks to \"identify web application vulnerabilities\", \"explain common security flaws\", \"understand vulnerability categories\", \"learn about inject...

Last verified on: 2026-07-07

Quick Facts

Category code
Works With Claude
Source sickn33/antigravity-awesome-skills
Stars ⭐ 40.7k
Last Verified 2026-07-07
Risk Level Low
mkdir -p ./skills/top-web-vulnerabilities && curl -sfL https://raw.githubusercontent.com/sickn33/antigravity-awesome-skills/main/skills/top-web-vulnerabilities/SKILL.md -o ./skills/top-web-vulnerabilities/SKILL.md

Run in terminal / PowerShell. Requires curl (Unix) or PowerShell 5+ (Windows).

Skill Content

# Top 100 Web Vulnerabilities Reference


Purpose


Provide a comprehensive, structured reference for the 100 most critical web application vulnerabilities organized by category. This skill enables systematic vulnerability identification, impact assessment, and remediation guidance across the full spectrum of web security threats. Content organized into 15 major vulnerability categories aligned with industry standards and real-world attack patterns.


Prerequisites


- Basic understanding of web application architecture (client-server model, HTTP protocol)

- Familiarity with common web technologies (HTML, JavaScript, SQL, XML, APIs)

- Understanding of authentication and authorization concepts

- Access to web application security testing tools (Burp Suite, OWASP ZAP)

- Knowledge of secure coding principles recommended


Outputs and Deliverables


- Complete vulnerability catalog with definitions, root causes, impacts, and mitigations

- Category-based vulnerability groupings for systematic assessment

- Quick reference for security testing and remediation

- Foundation for vulnerability assessment checklists and security policies


---


Core Workflow


Phase 1: Injection Vulnerabilities Assessment


Evaluate injection attack vectors targeting data processing components:


**SQL Injection (1)**

- Definition: Malicious SQL code inserted into input fields to manipulate database queries

- Root Cause: Lack of input validation, improper use of parameterized queries

- Impact: Unauthorized data access, data manipulation, database compromise

- Mitigation: Use parameterized queries/prepared statements, input validation, least privilege database accounts


**Cross-Site Scripting - XSS (2)**

- Definition: Injection of malicious scripts into web pages viewed by other users

- Root Cause: Insufficient output encoding, lack of input sanitization

- Impact: Session hijacking, credential theft, website defacement

- Mitigation: Output encoding, Content Security Policy (CSP), input sanitization


**Command Injection (5, 11)**

- Definition: Execution of arbitrary system commands through vulnerable applications

- Root Cause: Unsanitized user input passed to system shells

- Impact: Full system compromise, data exfiltration, lateral movement

- Mitigation: Avoid shell execution, whitelist valid commands, strict input validation


**XML Injection (6), LDAP Injection (7), XPath Injection (8)**

- Definition: Manipulation of XML/LDAP/XPath queries through malicious input

- Root Cause: Improper input handling in query construction

- Impact: Data exposure, authentication bypass, information disclosure

- Mitigation: Input validation, parameterized queries, escape special characters


**Server-Side Template Injection - SSTI (13)**

- Definition: Injection of malicious code into template engines

- Root Cause: User input embedded directly in template expressions

- Impact: Remote code execution, server compromise

- Mitigation: Sandbox template engines, avoid user input in templates, strict input validation


Phase 2: Authentication and Session Security


Assess authentication mechanism weaknesses:


**Session Fixation (14)**

- Definition: Attacker sets victim's session ID before authentication

- Root Cause: Session ID not regenerated after login

- Impact: Session hijacking, unauthorized account access

- Mitigation: Regenerate session ID on authentication, use secure session management


**Brute Force Attack (15)**

- Definition: Systematic password guessing using automated tools

- Root Cause: Lack of account lockout, rate limiting, or CAPTCHA

- Impact: Unauthorized access, credential compromise

- Mitigation: Account lockout policies, rate limiting, MFA, CAPTCHA


**Session Hijacking (16)**

- Definition: Attacker steals or predicts valid session tokens

- Root Cause: Weak session token generation, insecure transmission

- Impact: Account takeover, unauthorized access

- Mitigation: Secure random token generation, HTTPS, HttpOnly/Secure cookie flags


**Credential Stuffing

🎯 Best For

  • Security auditors
  • DevSecOps teams
  • Compliance officers
  • Claude users
  • Software engineers

💡 Use Cases

  • Auditing dependencies for known CVEs
  • Scanning API endpoints for auth gaps
  • Code quality improvement
  • Best practice enforcement

📖 How to Use This Skill

  1. 1

    Install the Skill

    Copy the install command from the Terminal tab and run it. The SKILL.md file downloads to your local skills directory.

  2. 2

    Load into Your AI Assistant

    Open Claude and reference the skill. Paste the SKILL.md content or use the system prompt tab.

  3. 3

    Apply Top Web Vulnerabilities to Your Work

    Open your project in the AI assistant and ask it to apply the skill. Start with a small module to verify the output quality.

  4. 4

    Review and Refine

    Review AI suggestions before committing. Run tests, check for regressions, and iterate on the skill output.

❓ Frequently Asked Questions

Can this replace a dedicated SAST tool?

AI-based security review is complementary to SAST tools. Use it as a first-pass filter, not a replacement.

Is Top Web Vulnerabilities compatible with Cursor and VS Code?

Yes — this skill works with any AI coding assistant including Cursor, VS Code with Copilot, and JetBrains IDEs.

Do I need specific dependencies for Top Web Vulnerabilities?

Check the install command and Works With section. Most code skills only require the AI assistant and your codebase.

How do I install Top Web Vulnerabilities?

Copy the install command from the Terminal tab and run it. The skill downloads to ./skills/top-web-vulnerabilities/SKILL.md, ready to use.

Can I customize this skill for my team?

Absolutely. Edit the SKILL.md file to add team-specific instructions, examples, or workflows.

⚠️ Common Mistakes to Avoid

Only scanning surface-level issues

Deep security review requires understanding your app architecture, not just regex patterns.

Skipping validation

Always test AI-generated code changes, even for simple refactors.

Missing dependency updates

Check if the skill requires updated dependencies or new packages.

🔗 Related Skills