security-testing
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
Chinese安全测试(中文版)
Security Testing (Chinese Version)
英文版: 见技能 。
security-testing-en提示词见本目录 。
prompts/security-testing.mdEnglish Version: See the skill .
security-testing-enPrompt templates can be found in in this directory.
prompts/security-testing.md何时使用
When to Use
- 用户提到「安全测试」「security-testing」
- 需要基于 Standard-version 执行该类测试或产出对应交付物
- 触发示例:「根据以下内容生成/设计/编写…」
- When the user mentions "security testing" or "security-testing"
- Need to execute such tests or deliver corresponding artifacts based on Standard-version
- Trigger Examples: "Generate/design/write... based on the following content"
输出格式选项
Output Format Options
默认 Markdown。若需 Excel / CSV / JSON,请在需求末尾说明,详见 output-formats.md。
Default is Markdown. If you need Excel / CSV / JSON, please specify it at the end of your request. For details, see output-formats.md.
如何使用
How to Use
- 打开本目录 ,将虚线以下内容复制到 AI 对话。
prompts/security-testing.md - 附加你的具体需求。
- 若需 Excel/CSV/JSON,在末尾加上 output-formats.md 中的请求句。
- Open in this directory, copy the content below the dashed line into the AI conversation.
prompts/security-testing.md - Attach your specific requirements.
- If you need Excel/CSV/JSON, add the request sentence from output-formats.md at the end.
代码示例
Code Examples
1. OWASP ZAP 安全扫描
1. OWASP ZAP Security Scan
完整的 OWASP ZAP 安全测试示例,包含基线扫描、完整扫描和 API 扫描。
位置:
examples/owasp-zap-scan/包含内容:
- 基线扫描脚本(快速扫描)
- 完整扫描脚本(深度扫描)
- API 扫描脚本
- 自动化运行脚本
- 详细的 README 文档
快速开始:
bash
cd examples/owasp-zap-scan
./run-scan.sh baseline https://example.com测试覆盖:
- SQL 注入检测
- XSS 漏洞检测
- CSRF 漏洞检测
- 安全配置检查
- API 安全测试
详见:examples/owasp-zap-scan/README.md
Complete OWASP ZAP security testing examples, including baseline scan, full scan, and API scan.
Location:
examples/owasp-zap-scan/Included Content:
- Baseline scan script (quick scan)
- Full scan script (deep scan)
- API scan script
- Automated run script
- Detailed README documentation
Quick Start:
bash
cd examples/owasp-zap-scan
./run-scan.sh baseline https://example.comTest Coverage:
- SQL injection detection
- XSS vulnerability detection
- CSRF vulnerability detection
- Security configuration check
- API security testing
For details: examples/owasp-zap-scan/README.md
最佳实践
Best Practices
安全测试原则
Security Testing Principles
-
OWASP Top 10
- 注入攻击
- 失效的身份认证
- 敏感数据泄露
- XML 外部实体 (XXE)
- 失效的访问控制
- 安全配置错误
- 跨站脚本 (XSS)
- 不安全的反序列化
- 使用含有已知漏洞的组件
- 不足的日志记录和监控
-
测试阶段
- 开发阶段:静态代码分析
- 测试阶段:动态安全测试
- 发布前:渗透测试
- 生产环境:持续监控
-
测试方法
- 黑盒测试:不了解内部实现
- 白盒测试:完全了解内部实现
- 灰盒测试:部分了解内部实现
-
OWASP Top 10
- Injection Attacks
- Broken Authentication
- Sensitive Data Exposure
- XML External Entities (XXE)
- Broken Access Control
- Security Misconfiguration
- Cross-Site Scripting (XSS)
- Insecure Deserialization
- Using Components with Known Vulnerabilities
- Insufficient Logging & Monitoring
-
Testing Phases
- Development Phase: Static Code Analysis
- Testing Phase: Dynamic Security Testing
- Pre-Release: Penetration Testing
- Production Environment: Continuous Monitoring
-
Testing Methods
- Black-box Testing: No knowledge of internal implementation
- White-box Testing: Full knowledge of internal implementation
- Gray-box Testing: Partial knowledge of internal implementation
工具选择建议
Tool Selection Recommendations
| 工具 | 适用场景 | 优势 |
|---|---|---|
| OWASP ZAP | Web 应用安全 | 开源、易用、自动化 |
| Burp Suite | 渗透测试 | 功能强大、专业 |
| Nmap | 网络扫描 | 端口扫描、服务识别 |
| SQLMap | SQL 注入 | 自动化注入测试 |
| Nikto | Web 服务器 | 快速漏洞扫描 |
| Tool | Applicable Scenario | Advantages |
|---|---|---|
| OWASP ZAP | Web Application Security | Open-source, easy to use, automated |
| Burp Suite | Penetration Testing | Powerful, professional |
| Nmap | Network Scanning | Port scanning, service identification |
| SQLMap | SQL Injection | Automated injection testing |
| Nikto | Web Server | Fast vulnerability scanning |
故障排除
Troubleshooting
常见问题
Common Issues
1. ZAP 扫描超时
1. ZAP Scan Timeout
问题: 扫描时间过长或超时
解决方案:
bash
undefinedProblem: Scan takes too long or times out
Solution:
bash
undefined增加超时时间
Increase timeout
zap-baseline.py -t http://example.com --timeout 300
zap-baseline.py -t http://example.com --timeout 300
限制扫描深度
Limit scan depth
zap-baseline.py -t http://example.com -m 3
undefinedzap-baseline.py -t http://example.com -m 3
undefined2. 误报过多
2. Too Many False Positives
问题: 扫描结果包含大量误报
解决方案:
- 使用自定义扫描策略
- 排除已知的误报
- 手动验证高危漏洞
- 调整扫描级别
Problem: Scan results contain a large number of false positives
Solution:
- Use custom scan policies
- Exclude known false positives
- Manually verify high-risk vulnerabilities
- Adjust scan levels
3. 无法扫描需要认证的页面
3. Cannot Scan Authenticated Pages
问题: ZAP 无法访问登录后的页面
解决方案:
bash
undefinedProblem: ZAP cannot access pages after login
Solution:
bash
undefined配置认证
Configure authentication
zap-cli auth
--auth-mode form
--auth-url http://example.com/login
--auth-username user
--auth-password pass
--auth-mode form
--auth-url http://example.com/login
--auth-username user
--auth-password pass
undefinedzap-cli auth
--auth-mode form
--auth-url http://example.com/login
--auth-username user
--auth-password pass
--auth-mode form
--auth-url http://example.com/login
--auth-username user
--auth-password pass
undefined4. Docker 权限问题
4. Docker Permission Issues
问题: 报告文件无法写入
解决方案:
bash
undefinedProblem: Cannot write report files
Solution:
bash
undefined使用正确的权限
Use correct permissions
docker run -u $(id -u):$(id -g)
-v $(pwd):/zap/wrk/:rw
owasp/zap2docker-stable
zap-baseline.py -t http://example.com
-v $(pwd):/zap/wrk/:rw
owasp/zap2docker-stable
zap-baseline.py -t http://example.com
undefineddocker run -u $(id -u):$(id -g)
-v $(pwd):/zap/wrk/:rw
owasp/zap2docker-stable
zap-baseline.py -t http://example.com
-v $(pwd):/zap/wrk/:rw
owasp/zap2docker-stable
zap-baseline.py -t http://example.com
undefined5. 证书验证错误
5. Certificate Verification Error
问题: SSL certificate verification failed
解决方案:
bash
undefinedProblem: SSL certificate verification failed
Solution:
bash
undefined跳过证书验证(仅测试环境)
Skip certificate verification (test environment only)
zap-baseline.py -t https://example.com --hook-script skip-cert-check.py
undefinedzap-baseline.py -t https://example.com --hook-script skip-cert-check.py
undefined6. 扫描被 WAF 拦截
6. Scan Blocked by WAF
问题: 请求被 Web 应用防火墙拦截
解决方案:
- 降低扫描速度
- 使用随机 User-Agent
- 与安全团队协调测试时间
- 使用白名单 IP
Problem: Requests are blocked by Web Application Firewall
Solution:
- Reduce scan speed
- Use random User-Agent
- Coordinate testing time with the security team
- Use whitelisted IPs
7. 报告解读困难
7. Difficulty Interpreting Reports
问题: 不理解扫描报告中的漏洞
解决方案:
- 查阅 OWASP 文档
- 手动验证漏洞
- 咨询安全专家
- 参考 CVE 数据库
Problem: Do not understand vulnerabilities in scan reports
Solution:
- Refer to OWASP documentation
- Manually verify vulnerabilities
- Consult security experts
- Refer to CVE database
参考文件
Reference Files
- prompts/security-testing.md — 安全测试 Standard-version 提示词
- output-formats.md — Markdown / Excel / CSV / JSON 请求说明
- examples/owasp-zap-scan/ — OWASP ZAP 完整示例
- quick-start.md — 5 分钟快速上手指南
- prompts/security-testing.md — Security testing Standard-version prompt templates
- output-formats.md — Instructions for requesting Markdown / Excel / CSV / JSON output
- examples/owasp-zap-scan/ — Complete OWASP ZAP examples
- quick-start.md — 5-minute quick start guide