Security Auditor

安全审计专家

Expert in identifying security vulnerabilities following OWASP Top 10 and security best practices.

遵循OWASP Top 10及安全最佳实践的漏洞识别专家。

When This Skill Activates

此Skill触发场景

Activates when you:

Request a security audit
Mention "security" or "vulnerability"
Need security review
Ask about OWASP

当你进行以下操作时触发：

发起安全审计请求
提及"security"或"vulnerability"
需要安全审查
咨询OWASP相关问题

OWASP Top 10 Coverage

OWASP Top 10 覆盖范围

A01: Broken Access Control

Checks:

bash

undefined

检查项：

bash

undefined

Check for missing auth on protected routes

grep -r "@RequireAuth|@Protected" src/

Check for IDOR vulnerabilities

grep -r "req.params.id|req.query.id" src/

Check for role-based access

grep -r "if.role.===" src/


**Common Issues:**
- Missing authentication on sensitive endpoints
- IDOR: Users can access other users' data
- Missing authorization checks
- API keys in URL

grep -r "if.role.===" src/


**常见问题：**
- 敏感端点缺少身份验证
- IDOR：用户可访问其他用户的数据
- 缺少权限校验
- API密钥暴露在URL中

A02: Cryptographic Failures

Checks:

bash

undefined

检查项：

bash

undefined

Check for hardcoded secrets

grep -ri "password.=.['"]" src/ grep -ri "api_key.=.['"]" src/ grep -ri "secret.=.['"]" src/

Check for weak hashing

grep -r "md5|sha1" src/

Check for http URLs

grep -r "http://" src/


**Common Issues:**
- Hardcoded credentials
- Weak hashing algorithms (MD5, SHA1)
- Unencrypted sensitive data
- HTTP instead of HTTPS

grep -r "http://" src/


**常见问题：**
- 硬编码凭证
- 弱哈希算法（MD5、SHA1）
- 敏感数据未加密
- 使用HTTP而非HTTPS

A03: Injection

Checks:

bash

undefined

检查项：

bash

undefined

SQL injection patterns

grep -r "".SELECT.+.*"" src/ grep -r "".UPDATE.SET.+."" src/

Command injection

grep -r "exec(|system(|spawn(" src/ grep -r "child_process.exec" src/

Template injection

grep -r "render.*req." src/


**Common Issues:**
- SQL injection
- NoSQL injection
- Command injection
- XSS (Cross-Site Scripting)
- Template injection

grep -r "render.*req." src/


**常见问题：**
- SQL注入
- NoSQL注入
- 命令注入
- XSS（跨站脚本攻击）
- 模板注入

A04: Insecure Design

Checks:

bash

undefined

检查项：

bash

undefined

Check for rate limiting

grep -r "rateLimit|rate-limit|throttle" src/

Check for 2FA

grep -r "twoFactor|2fa|mfa" src/

Check for session timeout

grep -r "maxAge|expires|timeout" src/


**Common Issues:**
- No rate limiting on auth endpoints
- Missing 2FA for sensitive operations
- Session timeout too long
- No account lockout after failed attempts

grep -r "maxAge|expires|timeout" src/


**常见问题：**
- 认证端点未设置速率限制
- 敏感操作缺少2FA
- 会话超时时间过长
- 登录失败后未启用账户锁定

A05: Security Misconfiguration

Checks:

bash

undefined

检查项：

bash

undefined

Check for debug mode

grep -r "DEBUG.*=.True|debug.=.*true" src/

Check for CORS configuration

grep -r "origin.**" src/

Check for error messages

grep -r "console.log.*error|console.error" src/


**Common Issues:**
- Debug mode enabled in production
- Overly permissive CORS
- Verbose error messages
- Default credentials not changed

grep -r "console.log.*error|console.error" src/


**常见问题：**
- 生产环境启用调试模式
- CORS配置过于宽松
- 错误信息过于详细
- 未修改默认凭证

A06: Vulnerable Components

Checks:

bash

undefined

检查项：

bash

undefined

Check package files

cat package.json | grep -E ""dependencies"|"devDependencies"" cat requirements.txt cat go.mod

Run vulnerability scanner

npm audit pip-audit


**Common Issues:**
- Outdated dependencies
- Known vulnerabilities in dependencies
- Unused dependencies
- Unmaintained packages

npm audit pip-audit


**常见问题：**
- 依赖库版本过时
- 依赖库存在已知漏洞
- 存在未使用的依赖库
- 使用无人维护的包

A07: Authentication Failures

Checks:

bash

undefined

检查项：

bash

undefined

Check password hashing

grep -r "bcrypt|argon2|scrypt" src/

Check password requirements

grep -r "password.*length|password.*complex" src/

Check for password in URL

grep -r "password.*req." src/


**Common Issues:**
- Weak password hashing
- No password complexity requirements
- Password in URL
- Session fixation

grep -r "password.*req." src/


**常见问题：**
- 密码哈希算法强度不足
- 无密码复杂度要求
- 密码出现在URL中
- 会话固定攻击风险

A08: Software/Data Integrity

Checks:

bash

undefined

检查项：

bash

undefined

Check for subresource integrity

grep -r "integrity|crossorigin" src/

Check for signature verification

grep -r "verify.*signature|validate.*token" src/


**Common Issues:**
- No integrity checks
- Unsigned updates
- Unverified dependencies

grep -r "verify.*signature|validate.*token" src/


**常见问题：**
- 未进行完整性校验
- 更新包未签名
- 依赖库未验证

A09: Logging Failures

Checks:

bash

undefined

检查项：

bash

undefined

Check for sensitive data in logs

grep -r "log.*password|log.*token|log.*secret" src/

Check for audit trail

grep -r "audit|activity.*log" src/


**Common Issues:**
- Sensitive data in logs
- No audit trail for critical operations
- Logs not protected
- No log tampering detection

grep -r "audit|activity.*log" src/


**常见问题：**
- 日志中包含敏感数据
- 关键操作无审计追踪
- 日志未受保护
- 无日志篡改检测

A10: SSRF (Server-Side Request Forgery)

Checks:

bash

undefined

检查项：

bash

undefined

Check for arbitrary URL fetching

grep -r "fetch(|axios(|request(|http\.get" src/

Check for webhook URLs

grep -r "webhook.*url|callback.*url" src/


**Common Issues:**
- No URL validation
- Fetching user-supplied URLs
- No allowlist for external calls

grep -r "webhook.*url|callback.*url" src/


**常见问题：**
- 未验证URL合法性
- 允许获取用户提供的URL内容
- 未设置外部调用白名单

Security Audit Checklist

安全审计检查表

Code Review

代码审查

Configuration

配置检查

Dependencies

依赖检查

No known vulnerabilities
Dependencies up to date
Unused dependencies removed

无已知漏洞
依赖库已更新至最新版本
已移除未使用的依赖库

Scripts

脚本

Run security audit:

bash

python scripts/security_audit.py

Check for secrets:

bash

python scripts/find_secrets.py

运行安全审计：

bash

python scripts/security_audit.py

检查密钥：

bash

python scripts/find_secrets.py

References

参考资料

```
references/owasp.md
```
- OWASP Top 10 details
```
references/checklist.md
```
- Security audit checklist
```
references/remediation.md
```
- Vulnerability remediation guide

```
references/owasp.md
```
- OWASP Top 10 详细内容
```
references/checklist.md
```
- 安全审计检查表
```
references/remediation.md
```
- 漏洞修复指南

security-auditor

Original

Translation

Security Auditor

安全审计专家

When This Skill Activates

此Skill触发场景

OWASP Top 10 Coverage

OWASP Top 10 覆盖范围

A01: Broken Access Control

A01: Broken Access Control

Check for missing auth on protected routes

Check for missing auth on protected routes

Check for IDOR vulnerabilities

Check for IDOR vulnerabilities

Check for role-based access

Check for role-based access

A02: Cryptographic Failures

A02: Cryptographic Failures

Check for hardcoded secrets

Check for hardcoded secrets

Check for weak hashing

Check for weak hashing

Check for http URLs

Check for http URLs

A03: Injection

A03: Injection

SQL injection patterns

SQL injection patterns

Command injection

Command injection

Template injection

Template injection

A04: Insecure Design

A04: Insecure Design

Check for rate limiting

Check for rate limiting

Check for 2FA

Check for 2FA

Check for session timeout

Check for session timeout

A05: Security Misconfiguration

A05: Security Misconfiguration

Check for debug mode

Check for debug mode

Check for CORS configuration

Check for CORS configuration

Check for error messages

Check for error messages

A06: Vulnerable Components

A06: Vulnerable Components

Check package files

Check package files

Run vulnerability scanner

Run vulnerability scanner

A07: Authentication Failures

A07: Authentication Failures

Check password hashing

Check password hashing

Check password requirements

Check password requirements

Check for password in URL

Check for password in URL

A08: Software/Data Integrity

A08: Software/Data Integrity

Check for subresource integrity

Check for subresource integrity

Check for signature verification

Check for signature verification

A09: Logging Failures

A09: Logging Failures

Check for sensitive data in logs

Check for sensitive data in logs

Check for audit trail

Check for audit trail

A10: SSRF (Server-Side Request Forgery)

A10: SSRF (Server-Side Request Forgery)

Check for arbitrary URL fetching

Check for arbitrary URL fetching

Check for webhook URLs