OWASP Top 10 Checker Skill

Purpose

When to Use

• Final security validation before deployment
• Security certification and compliance
• Security audit preparation
• Post-remediation verification
• Quarterly security reviews
• Pre-release security checklist

OWASP Top 10 2021 Compliance Workflow

A01:2021 - Broken Access Control

# Check for authorization decorators/middleware
grep -r "@requires_auth\|@login_required\|@permission_required" src/
grep -r "auth_required\|check_permission" src/

# Find routes without authorization
grep -r "@app.route\|@router.get\|@router.post" src/ --include="*.py" -A 5

• Authorization enforced on every endpoint
• Default deny access control
• Server-side authorization (not client-side only)
• Authorization checked on every request
• Role-based access control (RBAC) implemented
• Ownership verified for object access

# Look for direct ID usage from requests
grep -r "request.*\['id'\]\|request.*\.id\|params\['id'\]" src/

• No direct object references without validation
• Ownership verified before access
• Indirect references used (e.g., session-based)
• UUID instead of sequential IDs where applicable

# Check CORS settings
grep -r "Access-Control-Allow-Origin" src/ config/
grep -r "CORS.*origin" src/ --include="*.py" --include="*.js"

• No wildcard (*) CORS unless absolutely necessary
• Specific origin whitelist configured
• Credentials mode properly configured
• Preflight requests handled correctly

# Check web server config
grep -r "autoindex\|directory.*listing" config/

• Directory listing disabled
• .git directory not accessible
• Backup files not accessible

A02:2021 - Cryptographic Failures

# Check TLS enforcement
grep -r "SECURE_SSL_REDIRECT\|HTTPS_ONLY\|ssl.*required" config/ src/
grep -r "tls.*version\|ssl.*version" config/

# Check for HTTP usage
grep -r "http://\|ws://" src/ | grep -v "localhost\|127.0.0.1"

• TLS 1.2+ enforced
• TLS 1.0/1.1 disabled
• HTTPS redirect configured
• HSTS header set (max-age >= 31536000)
• Secure WebSocket (wss://) for real-time
• Certificate validation enabled

# Check for encryption of sensitive data
grep -r "encrypt\|cipher\|AES" src/
grep -r "password.*plain\|password.*clear" src/

• Passwords hashed (bcrypt/argon2/scrypt)
• PII encrypted at rest
• Database encryption enabled for sensitive columns
• Backups encrypted
• Key management system used

# Find weak algorithms
grep -r "md5\|sha1\|DES\|RC4" src/ --include="*.py" --include="*.js"
grep -r "ECB.*mode" src/

• No MD5/SHA1 for security (only for checksums)
• AES-256-GCM or ChaCha20-Poly1305 for encryption
• Argon2id or bcrypt for passwords
• SHA-256/SHA-3 for hashing
• Proper IV/nonce generation
• No ECB mode

# Check RNG usage
grep -r "random\.random\|Math\.random" src/
grep -r "secrets\|os\.urandom\|crypto\.randomBytes" src/

• Cryptographically secure RNG (secrets, os.urandom)
• No Math.random() or random.random() for security
• Sufficient entropy for keys/tokens

A03:2021 - Injection

# Find string concatenation in SQL
grep -r "execute.*%\|execute.*\+\|execute.*format\|execute.*f\"" src/ --include="*.py"
grep -r "SELECT.*\+\|INSERT.*\+\|UPDATE.*\+\|DELETE.*\+" src/

• Parameterized queries/prepared statements
• ORM used correctly (no raw SQL with user input)
• No string concatenation in SQL
• Input validation on all parameters
• Least privilege database accounts

# Find shell command execution
grep -r "subprocess.*shell=True\|os\.system\|os\.popen" src/ --include="*.py"
grep -r "exec\|eval\|child_process" src/ --include="*.js"

• No shell=True with user input
• Command arguments as list, not string
• Input validation/sanitization
• Whitelist allowed commands
• No eval() or exec() with user input

grep -r "ldap.*search\|ldap.*filter" src/

• LDAP queries parameterized
• Special characters escaped
• Input validation

grep -r "find.*\$where\|\.exec(" src/ --include="*.js"

• MongoDB operators sanitized
• $where clauses avoided or validated
• Input type validation

grep -r "render_template_string\|Jinja2.*from_string" src/
grep -r "autoescape.*False" src/

• No user input in template compilation
• Auto-escaping enabled
• Safe template rendering

A04:2021 - Insecure Design

• Threat model documented
• Attack surface analyzed
• Trust boundaries identified
• Data flow diagrams created
• Security requirements defined

• Defense in depth implemented
• Fail securely (errors don't expose data)
• Least privilege principle
• Separation of duties
• Complete mediation (check every access)

grep -r "rate.*limit\|throttle" src/ config/

• Rate limiting on authentication endpoints
• Rate limiting on API endpoints
• Account lockout after failed attempts
• CAPTCHA for public forms

• Transaction integrity enforced
• Workflow state validated
• Resource limits defined
• Input bounds checked
• Edge cases handled

A05:2021 - Security Misconfiguration

# Check for security headers
grep -r "X-Frame-Options\|X-Content-Type-Options\|Content-Security-Policy" src/ config/
grep -r "Strict-Transport-Security\|X-XSS-Protection" src/ config/

• X-Frame-Options: DENY or SAMEORIGIN
• X-Content-Type-Options: nosniff
• Content-Security-Policy configured
• Strict-Transport-Security: max-age=31536000
• X-XSS-Protection: 1; mode=block
• Referrer-Policy: strict-origin-when-cross-origin

# Check debug mode
grep -r "DEBUG.*True\|development.*mode" config/ src/
grep -r "traceback\|stack.*trace" src/

• Debug mode disabled in production
• Generic error messages to users
• Detailed errors logged, not displayed
• No stack traces exposed
• Custom error pages configured

# Find hardcoded credentials
grep -r "password.*=.*admin\|password.*=.*password" src/ config/

• All default credentials changed
• No hardcoded passwords
• Credentials in environment variables
• Secrets management system used

# Check for sample/test code
find . -name "*sample*" -o -name "*test*" -o -name "*demo*" | grep -v node_modules

• Sample code removed
• Unused endpoints disabled
• Test accounts removed
• Development tools disabled in production
• Unnecessary services stopped

# Check dependency status
pip list --outdated 2>/dev/null || npm outdated 2>/dev/null

• Dependencies up to date
• Security patches applied
• Regular update schedule
• Vulnerability monitoring enabled

A06:2021 - Vulnerable and Outdated Components

# List all dependencies
pip list --format=json > dependencies.json 2>/dev/null || npm list --json > dependencies.json 2>/dev/null

• Complete dependency inventory (SBOM)
• Direct and transitive dependencies tracked
• License compliance verified
• Dependency sources trusted

# Scan for vulnerabilities
pip-audit --format json 2>/dev/null || npm audit --json 2>/dev/null
safety check --json 2>/dev/null

• Regular vulnerability scans (weekly minimum)
• No critical vulnerabilities
• High vulnerabilities remediated
• Vulnerability remediation SLA defined

# Check for version pinning
cat requirements.txt setup.py package.json 2>/dev/null

• Versions pinned in lockfiles
• Compatible version ranges defined
• Regular updates scheduled
• Breaking changes reviewed before update

• No unmaintained dependencies
• EOL software replaced
• Deprecated features not used
• Migration plan for aging components

A07:2021 - Identification and Authentication Failures

# Check password requirements
grep -r "password.*length\|password.*complexity" src/
grep -r "MIN_PASSWORD_LENGTH\|PASSWORD_VALIDATORS" config/ src/

• Minimum 8 characters (12+ recommended)
• Complexity requirements enforced
• Common passwords blocked
• Password strength meter implemented
• Password history (no reuse)

grep -r "mfa\|2fa\|totp\|two.*factor" src/

• MFA available for sensitive operations
• MFA enforced for admin accounts
• TOTP/hardware token support
• Backup codes provided

# Check session configuration
grep -r "SESSION.*TIMEOUT\|session.*expir" config/ src/
grep -r "SESSION_COOKIE_SECURE\|SESSION_COOKIE_HTTPONLY" config/ src/

• Session timeout configured (15-30 min idle)
• Absolute session timeout (e.g., 8 hours)
• Session invalidated on logout
• Secure session cookies (Secure, HttpOnly, SameSite)
• Session fixation prevented (regenerate on login)
• Concurrent session limits

# Check password hashing
grep -r "bcrypt\|argon2\|scrypt\|pbkdf2" src/
grep -r "hashlib\.md5.*password\|hashlib\.sha1.*password" src/

• Passwords hashed with bcrypt/argon2/scrypt
• Salt unique per password
• Work factor appropriate (bcrypt: 12+, argon2: per OWASP)
• No reversible encryption for passwords

# Check error messages
grep -r "user.*not.*found\|invalid.*username" src/

• Generic authentication errors ("Invalid credentials")
• Same response time for valid/invalid users
• Password reset doesn't confirm email existence
• Registration doesn't confirm email existence

grep -r "login.*attempt\|failed.*attempt\|account.*lock" src/

• Account lockout after N failed attempts (5-10)
• Temporary lockout (not permanent)
• Rate limiting on login endpoint
• CAPTCHA after failed attempts
• Login attempt logging

A08:2021 - Software and Data Integrity Failures

# Check for unsafe deserialization
grep -r "pickle\.loads\|yaml\.load\(" src/ --include="*.py"
grep -r "eval\|unserialize" src/

• No pickle with untrusted data
• yaml.safe_load() used (not yaml.load())
• JSON preferred over pickle
• Deserialization input validated
• No eval() with untrusted data

• Pipeline configuration in version control
• Code signing for releases
• Secret scanning in CI/CD
• Dependency verification
• Build reproducibility
• Artifact signing
• Deployment approval process

• Updates delivered over HTTPS
• Update signatures verified
• Automatic updates signed
• Rollback mechanism available
• Update integrity checked

• Dependencies from trusted sources
• Dependency hash verification
• Software Bill of Materials (SBOM)
• Third-party code reviewed
• Vendor security assessment

A09:2021 - Security Logging and Monitoring Failures

# Check logging implementation
grep -r "logging\|logger\|log\." src/ --include="*.py" --include="*.js"
grep -r "audit.*log\|security.*log" src/

• Authentication events logged (success/failure)
• Authorization failures logged
• Input validation failures logged
• Sensitive operations logged
• Administrative actions logged
• Access to sensitive data logged

• Timestamp (UTC)
• User/session identifier
• Action performed
• Resource accessed
• Source IP address
• Outcome (success/failure)
• No sensitive data in logs (passwords, tokens, PII)

# Check log file permissions
find . -name "*.log" -ls 2>/dev/null

• Log files write-only for application
• Logs protected from tampering
• Logs rotated regularly
• Log retention policy defined
• Logs backed up
• Centralized logging implemented

• Real-time security monitoring
• Automated alerting configured
• Failed login threshold alerts
• Unusual activity detection
• Anomaly detection
• Security dashboard available

• Incident response plan documented
• Response team identified
• Alert escalation procedures
• Incident logging and tracking
• Post-incident review process

A10:2021 - Server-Side Request Forgery (SSRF)

# Find URL fetching code
grep -r "requests\.get\|urllib\.request\|fetch\|axios\.get" src/
grep -r "url.*request\|user.*url" src/

• User-supplied URLs validated
• URL whitelist implemented
• Protocol whitelist (HTTP/HTTPS only)
• Private IP ranges blocked
• DNS rebinding protection
• URL redirection limited

• Application in DMZ
• Internal services not accessible from app
• Firewall rules deny by default
• Outbound traffic restricted
• Service mesh/network policies configured

# Check for URL sanitization
grep -r "validate.*url\|sanitize.*url\|parse.*url" src/

• URL parsing and validation
• Hostname validation
• Port restrictions
• Path normalization
• No file:// protocol
• No access to metadata services (169.254.169.254)

Overall Compliance Report Format

# OWASP Top 10 2021 Compliance Report

**Date**: [YYYY-MM-DD]
**Application**: [name]
**Assessed By**: OWASP Checker

## Compliance Summary

| Category | Status | Critical Issues | Notes |
|----------|--------|-----------------|-------|
| A01 - Broken Access Control | ✅/⚠️/❌ | [count] | [summary] |
| A02 - Cryptographic Failures | ✅/⚠️/❌ | [count] | [summary] |
| A03 - Injection | ✅/⚠️/❌ | [count] | [summary] |
| A04 - Insecure Design | ✅/⚠️/❌ | [count] | [summary] |
| A05 - Security Misconfiguration | ✅/⚠️/❌ | [count] | [summary] |
| A06 - Vulnerable Components | ✅/⚠️/❌ | [count] | [summary] |
| A07 - Auth Failures | ✅/⚠️/❌ | [count] | [summary] |
| A08 - Integrity Failures | ✅/⚠️/❌ | [count] | [summary] |
| A09 - Logging Failures | ✅/⚠️/❌ | [count] | [summary] |
| A10 - SSRF | ✅/⚠️/❌ | [count] | [summary] |

**Legend**:
- ✅ Pass: Fully compliant
- ⚠️ Partial: Some issues, not critical
- ❌ Fail: Critical issues found

**Overall Compliance**: [XX]% ([X]/10 categories passed)

## Critical Findings

[List all critical non-compliance items that must be fixed]

## Recommendations

### Immediate (Critical)
1. [Item]

### Short-term (High)
1. [Item]

### Long-term (Medium)
1. [Item]

## Certification

This application [IS / IS NOT] compliant with OWASP Top 10 2021 standards.

**Assessor**: [name]
**Date**: [YYYY-MM-DD]
**Next Assessment**: [YYYY-MM-DD]

Best Practices

• Complete all categories
• Document evidence for each check
• Retest after remediation
• Keep assessment current (quarterly)

• Track compliance over time
• Maintain compliance dashboard
• Regular reassessment (quarterly)
• Update after major changes

• Fix critical items immediately
• Schedule high/medium items
• Document compensating controls
• Verify fixes effectiveness

• Keep detailed compliance records
• Document exceptions with justification
• Track remediation progress
• Maintain audit trail

Integration with Security Workflow

Remember

• Compliance is not security: OWASP Top 10 is baseline, not complete security
• Context matters: Adapt checks to your application type
• Defense in depth: Multiple layers of controls
• Continuous compliance: Not a one-time check
• Document everything: Maintain audit trail
• Stay current: OWASP Top 10 updates periodically