Back to Details

security-audit

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Security Auditing Workflow Bundle

安全审计工作流套件

Overview

概述

Comprehensive security auditing workflow for web applications, APIs, and infrastructure. This bundle orchestrates skills for penetration testing, vulnerability assessment, security scanning, and remediation.
针对Web应用、API和基础设施的全面安全审计工作流。该套件编排了渗透测试、漏洞评估、安全扫描和修复相关的技能。

When to Use This Workflow

何时使用此工作流

Use this workflow when:
  • Performing security audits on web applications
  • Testing API security
  • Conducting penetration tests
  • Scanning for vulnerabilities
  • Hardening application security
  • Compliance security assessments
在以下场景使用此工作流:
  • 对Web应用执行安全审计
  • 测试API安全
  • 开展渗透测试
  • 扫描漏洞
  • 加固应用安全
  • 合规性安全评估

Workflow Phases

工作流阶段

Phase 1: Reconnaissance

阶段1:侦察

Skills to Invoke

调用技能

  • scanning-tools
    - Security scanning
  • shodan-reconnaissance
    - Shodan searches
  • top-web-vulnerabilities
    - OWASP Top 10
  • scanning-tools
    - 安全扫描
  • shodan-reconnaissance
    - Shodan搜索
  • top-web-vulnerabilities
    - OWASP Top 10

Actions

操作

  1. Identify target scope
  2. Gather intelligence
  3. Map attack surface
  4. Identify technologies
  5. Document findings
  1. 确定目标范围
  2. 收集情报
  3. 绘制攻击面
  4. 识别技术栈
  5. 记录发现结果

Copy-Paste Prompts

可复制粘贴的提示词

Use @scanning-tools to perform initial reconnaissance
Use @shodan-reconnaissance to find exposed services
Use @scanning-tools to perform initial reconnaissance
Use @shodan-reconnaissance to find exposed services

Phase 2: Vulnerability Scanning

阶段2:漏洞扫描

Skills to Invoke

调用技能

  • vulnerability-scanner
    - Vulnerability analysis
  • security-scanning-security-sast
    - Static analysis
  • security-scanning-security-dependencies
    - Dependency scanning
  • vulnerability-scanner
    - 漏洞分析
  • security-scanning-security-sast
    - 静态分析
  • security-scanning-security-dependencies
    - 依赖扫描

Actions

操作

  1. Run automated scanners
  2. Perform static analysis
  3. Scan dependencies
  4. Identify misconfigurations
  5. Document vulnerabilities
  1. 运行自动化扫描工具
  2. 执行静态分析
  3. 扫描依赖项
  4. 识别配置错误
  5. 记录漏洞

Copy-Paste Prompts

可复制粘贴的提示词

Use @vulnerability-scanner to scan for OWASP Top 10 vulnerabilities
Use @security-scanning-security-dependencies to audit dependencies
Use @vulnerability-scanner to scan for OWASP Top 10 vulnerabilities
Use @security-scanning-security-dependencies to audit dependencies

Phase 3: Web Application Testing

阶段3:Web应用测试

Skills to Invoke

调用技能

  • top-web-vulnerabilities
    - OWASP vulnerabilities
  • sql-injection-testing
    - SQL injection
  • xss-html-injection
    - XSS testing
  • broken-authentication
    - Authentication testing
  • idor-testing
    - IDOR testing
  • file-path-traversal
    - Path traversal
  • burp-suite-testing
    - Burp Suite testing
  • top-web-vulnerabilities
    - OWASP漏洞
  • sql-injection-testing
    - SQL注入测试
  • xss-html-injection
    - XSS测试
  • broken-authentication
    - 身份验证测试
  • idor-testing
    - IDOR测试
  • file-path-traversal
    - 路径遍历测试
  • burp-suite-testing
    - Burp Suite测试

Actions

操作

  1. Test for injection flaws
  2. Test authentication mechanisms
  3. Test session management
  4. Test access controls
  5. Test input validation
  6. Test security headers
  1. 测试注入缺陷
  2. 测试身份验证机制
  3. 测试会话管理
  4. 测试访问控制
  5. 测试输入验证
  6. 测试安全标头

Copy-Paste Prompts

可复制粘贴的提示词

Use @sql-injection-testing to test for SQL injection vulnerabilities
Use @xss-html-injection to test for cross-site scripting
Use @broken-authentication to test authentication security
Use @sql-injection-testing to test for SQL injection vulnerabilities
Use @xss-html-injection to test for cross-site scripting
Use @broken-authentication to test authentication security

Phase 4: API Security Testing

阶段4:API安全测试

Skills to Invoke

调用技能

  • api-fuzzing-bug-bounty
    - API fuzzing
  • api-security-best-practices
    - API security
  • api-fuzzing-bug-bounty
    - API模糊测试
  • api-security-best-practices
    - API安全

Actions

操作

  1. Enumerate API endpoints
  2. Test authentication/authorization
  3. Test rate limiting
  4. Test input validation
  5. Test error handling
  6. Document API vulnerabilities
  1. 枚举API端点
  2. 测试身份验证/授权
  3. 测试速率限制
  4. 测试输入验证
  5. 测试错误处理
  6. 记录API漏洞

Copy-Paste Prompts

可复制粘贴的提示词

Use @api-fuzzing-bug-bounty to fuzz API endpoints
Use @api-fuzzing-bug-bounty to fuzz API endpoints

Phase 5: Penetration Testing

阶段5:渗透测试

Skills to Invoke

调用技能

  • pentest-commands
    - Penetration testing commands
  • pentest-checklist
    - Pentest planning
  • ethical-hacking-methodology
    - Ethical hacking
  • metasploit-framework
    - Metasploit
  • pentest-commands
    - 渗透测试命令
  • pentest-checklist
    - 渗透测试规划
  • ethical-hacking-methodology
    - 道德黑客
  • metasploit-framework
    - Metasploit

Actions

操作

  1. Plan penetration test
  2. Execute attack scenarios
  3. Exploit vulnerabilities
  4. Document proof of concept
  5. Assess impact
  1. 规划渗透测试
  2. 执行攻击场景
  3. 利用漏洞
  4. 记录概念验证
  5. 评估影响

Copy-Paste Prompts

可复制粘贴的提示词

Use @pentest-checklist to plan penetration test
Use @pentest-commands to execute penetration testing
Use @pentest-checklist to plan penetration test
Use @pentest-commands to execute penetration testing

Phase 6: Security Hardening

阶段6:安全加固

Skills to Invoke

调用技能

  • security-scanning-security-hardening
    - Security hardening
  • auth-implementation-patterns
    - Authentication
  • api-security-best-practices
    - API security
  • security-scanning-security-hardening
    - 安全加固
  • auth-implementation-patterns
    - 身份验证
  • api-security-best-practices
    - API安全

Actions

操作

  1. Implement security controls
  2. Configure security headers
  3. Set up authentication
  4. Implement authorization
  5. Configure logging
  6. Apply patches
  1. 实施安全控制
  2. 配置安全标头
  3. 设置身份验证
  4. 实施授权
  5. 配置日志
  6. 应用补丁

Copy-Paste Prompts

可复制粘贴的提示词

Use @security-scanning-security-hardening to harden application security
Use @security-scanning-security-hardening to harden application security

Phase 7: Reporting

阶段7:报告

Skills to Invoke

调用技能

  • reporting-standards
    - Security reporting
  • reporting-standards
    - 安全报告

Actions

操作

  1. Document findings
  2. Assess risk levels
  3. Provide remediation steps
  4. Create executive summary
  5. Generate technical report
  1. 记录发现结果
  2. 评估风险等级
  3. 提供修复步骤
  4. 创建执行摘要
  5. 生成技术报告

Security Testing Checklist

安全测试检查清单

OWASP Top 10

OWASP Top 10

  • Injection (SQL, NoSQL, OS, LDAP)
  • Broken Authentication
  • Sensitive Data Exposure
  • XML External Entities (XXE)
  • Broken Access Control
  • Security Misconfiguration
  • Cross-Site Scripting (XSS)
  • Insecure Deserialization
  • Using Components with Known Vulnerabilities
  • Insufficient Logging & Monitoring
  • 注入(SQL、NoSQL、OS、LDAP)
  • 身份验证失效
  • 敏感数据暴露
  • XML外部实体(XXE)
  • 访问控制失效
  • 安全配置错误
  • 跨站脚本(XSS)
  • 不安全的反序列化
  • 使用含有已知漏洞的组件
  • 日志与监控不足

API Security

API安全

  • Authentication mechanisms
  • Authorization checks
  • Rate limiting
  • Input validation
  • Error handling
  • Security headers
  • 身份验证机制
  • 授权检查
  • 速率限制
  • 输入验证
  • 错误处理
  • 安全标头

Quality Gates

质量门

  • All planned tests executed
  • Vulnerabilities documented
  • Proof of concepts captured
  • Risk assessments completed
  • Remediation steps provided
  • Report generated
  • 所有规划的测试已执行
  • 漏洞已记录
  • 概念验证已捕获
  • 风险评估已完成
  • 修复步骤已提供
  • 报告已生成

Related Workflow Bundles

相关工作流套件

  • development
    - Secure development practices
  • wordpress
    - WordPress security
  • cloud-devops
    - Cloud security
  • testing-qa
    - Security testing
  • development
    - 安全开发实践
  • wordpress
    - WordPress安全
  • cloud-devops
    - 云安全
  • testing-qa
    - 安全测试