MR
Mayur Rathi
@mayurrathi
⭐ 40.7k GitHub stars

Web Security Testing

Web Security Testing is an code AI skill with a core value of Web application security testing workflow for OWASP Top 10 vulnerabilities including injection, XSS, authentication flaws, and access control issues. It helps developers solve real-world problems in the code domain, boosting efficiency, automating repetitive tasks, and optimizing workflows.

Web application security testing workflow for OWASP Top 10 vulnerabilities including injection, XSS, authentication flaws, and access control issues.

Last verified on: 2026-07-07

Quick Facts

Category code
Works With Claude
Source sickn33/antigravity-awesome-skills
Stars ⭐ 40.7k
Last Verified 2026-07-07
Risk Level High
mkdir -p ./skills/web-security-testing && curl -sfL https://raw.githubusercontent.com/sickn33/antigravity-awesome-skills/main/skills/web-security-testing/SKILL.md -o ./skills/web-security-testing/SKILL.md

Run in terminal / PowerShell. Requires curl (Unix) or PowerShell 5+ (Windows).

Skill Content

# Web Security Testing Workflow


Overview


Specialized workflow for testing web applications against OWASP Top 10 vulnerabilities including injection attacks, XSS, broken authentication, and access control issues.


When to Use This Workflow


Use this workflow when:

- Testing web application security

- Performing OWASP Top 10 assessment

- Conducting penetration tests

- Validating security controls

- Bug bounty hunting


Workflow Phases


Phase 1: Reconnaissance


#### Skills to Invoke

- `scanning-tools` - Security scanning

- `top-web-vulnerabilities` - OWASP knowledge


#### Actions

1. Map application surface

2. Identify technologies

3. Discover endpoints

4. Find subdomains

5. Document findings


#### Copy-Paste Prompts

text
Use @scanning-tools to perform web application reconnaissance

Phase 2: Injection Testing


#### Skills to Invoke

- `sql-injection-testing` - SQL injection

- `sqlmap-database-pentesting` - SQLMap


#### Actions

1. Test SQL injection

2. Test NoSQL injection

3. Test command injection

4. Test LDAP injection

5. Document vulnerabilities


#### Copy-Paste Prompts

text
Use @sql-injection-testing to test for SQL injection

text
Use @sqlmap-database-pentesting to automate SQL injection testing

Phase 3: XSS Testing


#### Skills to Invoke

- `xss-html-injection` - XSS testing

- `html-injection-testing` - HTML injection


#### Actions

1. Test reflected XSS

2. Test stored XSS

3. Test DOM-based XSS

4. Test XSS filters

5. Document findings


#### Copy-Paste Prompts

text
Use @xss-html-injection to test for cross-site scripting

Phase 4: Authentication Testing


#### Skills to Invoke

- `broken-authentication` - Authentication testing


#### Actions

1. Test credential stuffing

2. Test brute force protection

3. Test session management

4. Test password policies

5. Test MFA implementation


#### Copy-Paste Prompts

text
Use @broken-authentication to test authentication security

Phase 5: Access Control Testing


#### Skills to Invoke

- `idor-testing` - IDOR testing

- `file-path-traversal` - Path traversal


#### Actions

1. Test vertical privilege escalation

2. Test horizontal privilege escalation

3. Test IDOR vulnerabilities

4. Test directory traversal

5. Test unauthorized access


#### Copy-Paste Prompts

text
Use @idor-testing to test for insecure direct object references

text
Use @file-path-traversal to test for path traversal

Phase 6: Security Headers


#### Skills to Invoke

- `api-security-best-practices` - Security headers


#### Actions

1. Check CSP implementation

2. Verify HSTS configuration

3. Test X-Frame-Options

4. Check X-Content-Type-Options

5. Verify referrer policy


#### Copy-Paste Prompts

text
Use @api-security-best-practices to audit security headers

Phase 7: Reporting


#### Skills to Invoke

- `reporting-standards` - Security reporting


#### Actions

1. Document vulnerabilities

2. Assess risk levels

3. Provide remediation

4. Create proof of concept

5. Generate report


#### Copy-Paste Prompts

text
Use @reporting-standards to create security report

OWASP Top 10 Checklist


- [ ] A01: Broken Access Control

- [ ] A02: Cryptographic Failures

- [ ] A03: Injection

- [ ] A04: Insecure Design

- [ ] A05: Security Misconfiguration

- [ ] A06: Vulnerable Components

- [ ] A07: Authentication Failures

- [ ] A08: Software/Data Integrity

- [ ] A09: Logging/Monitoring

- [ ] A10: SSRF


Quality Gates


- [ ] All OWASP Top 10 tested

- [ ] Vulnerabilities documented

- [ ] Proof of concepts captured

- [ ] Remediation provided

- [ ] Report generated


Related Workflow Bundles


- `security-audit` - Security auditing

- `api-security-testing` - API security

- `wordpress-security` - WordPress security

🎯 Best For

  • Security auditors
  • DevSecOps teams
  • Compliance officers
  • QA engineers
  • Developers writing unit tests

💡 Use Cases

  • Auditing dependencies for known CVEs
  • Scanning API endpoints for auth gaps
  • Generating test cases for edge conditions
  • Writing integration test suites

📖 How to Use This Skill

  1. 1

    Install the Skill

    Copy the install command from the Terminal tab and run it. The SKILL.md file downloads to your local skills directory.

  2. 2

    Load into Your AI Assistant

    Open Claude and reference the skill. Paste the SKILL.md content or use the system prompt tab.

  3. 3

    Apply Web Security Testing to Your Work

    Open your project in the AI assistant and ask it to apply the skill. Start with a small module to verify the output quality.

  4. 4

    Review and Refine

    Review AI suggestions before committing. Run tests, check for regressions, and iterate on the skill output.

❓ Frequently Asked Questions

Can this replace a dedicated SAST tool?

AI-based security review is complementary to SAST tools. Use it as a first-pass filter, not a replacement.

Does this generate test mocks?

Many testing skills include mock generation. Check the install command and skill content for details.

Is Web Security Testing compatible with Cursor and VS Code?

Yes — this skill works with any AI coding assistant including Cursor, VS Code with Copilot, and JetBrains IDEs.

Do I need specific dependencies for Web Security Testing?

Check the install command and Works With section. Most code skills only require the AI assistant and your codebase.

How do I install Web Security Testing?

Copy the install command from the Terminal tab and run it. The skill downloads to ./skills/web-security-testing/SKILL.md, ready to use.

⚠️ Common Mistakes to Avoid

Only scanning surface-level issues

Deep security review requires understanding your app architecture, not just regex patterns.

Not testing edge cases

AI tends to generate happy-path tests. Manually review for boundary conditions.

Skipping validation

Always test AI-generated code changes, even for simple refactors.

Missing dependency updates

Check if the skill requires updated dependencies or new packages.

🔗 Related Skills