安全测试指南：OWASP ZAP、SQL注入、XSS等漏洞检测与防护最佳实践

security-testing by aj-geddes/useful-ai-prompts

211 周安装量

144 GitHub Stars

GitHub

安装命令

npx skills add https://github.com/aj-geddes/useful-ai-prompts --skill security-testing

自动化测试安全

🇨🇳中文介绍

安全测试

概述

安全测试旨在识别应用程序中的漏洞、弱点和威胁，以确保数据保护、防止未经授权的访问并维护系统完整性。它结合了自动化扫描（SAST、DAST）与手动渗透测试和代码审查。

使用时机

测试 OWASP Top 10 漏洞
扫描依赖项以查找已知漏洞
测试身份验证和授权
验证输入净化
测试 API 安全性
检查敏感数据暴露
验证安全标头
测试会话管理

快速开始

最小工作示例：

# security_scan.py
from zapv2 import ZAPv2
import time

class SecurityScanner:
    def __init__(self, target_url, api_key=None):
        self.zap = ZAPv2(apikey=api_key, proxies={
            'http': 'http://localhost:8080',
            'https': 'http://localhost:8080'
        })
        self.target = target_url

    def scan(self):
        """运行完整的安全扫描。"""
        print(f"Scanning {self.target}...")

        # 爬取应用程序
        print("Spidering...")
        scan_id = self.zap.spider.scan(self.target)
        while int(self.zap.spider.status(scan_id)) < 100:
            time.sleep(2)
            print(f"Spider progress: {self.zap.spider.status(scan_id)}%")

        # 主动扫描
        print("Running active scan...")
// ... (完整实现请参阅参考指南)

广告位招租

在这里展示您的产品或服务

触达数万 AI 开发者，精准高效

联系我们

🇺🇸English

Security Testing

Overview
When to Use
Quick Start
Reference Guides
Best Practices

Overview

Security testing identifies vulnerabilities, weaknesses, and threats in applications to ensure data protection, prevent unauthorized access, and maintain system integrity. It combines automated scanning (SAST, DAST) with manual penetration testing and code review.

When to Use

Testing for OWASP Top 10 vulnerabilities
Scanning dependencies for known vulnerabilities
Testing authentication and authorization
Validating input sanitization
Testing API security
Checking for sensitive data exposure
Validating security headers
Testing session management

Quick Start

Minimal working example:

# security_scan.py
from zapv2 import ZAPv2
import time

class SecurityScanner:
    def __init__(self, target_url, api_key=None):
        self.zap = ZAPv2(apikey=api_key, proxies={
            'http': 'http://localhost:8080',
            'https': 'http://localhost:8080'
        })
        self.target = target_url

    def scan(self):
        """Run full security scan."""
        print(f"Scanning {self.target}...")

        # Spider the application
        print("Spidering...")
        scan_id = self.zap.spider.scan(self.target)
        while int(self.zap.spider.status(scan_id)) < 100:
            time.sleep(2)
            print(f"Spider progress: {self.zap.spider.status(scan_id)}%")

        # Active scan
        print("Running active scan...")
// ... (see reference guides for full implementation)

Reference Guides

Detailed implementations in the references/ directory:

Guide	Contents
OWASP ZAP (DAST)	OWASP ZAP (DAST)
SQL Injection Testing	SQL Injection Testing
XSS Testing	XSS Testing
Authentication & Authorization Testing	Authentication & Authorization Testing
CSRF Protection Testing	CSRF Protection Testing
Dependency Vulnerability Scanning	Dependency Vulnerability Scanning
Security Headers Testing

Best Practices

✅ DO

Run security scans in CI/CD
Test with real attack vectors
Scan dependencies regularly
Use security headers
Implement rate limiting
Validate and sanitize all input
Use parameterized queries
Test authentication/authorization thoroughly

❌ DON'T

Store secrets in code
Trust user input
Expose detailed error messages
Skip dependency updates
Use default credentials
Ignore security warnings
Test only happy paths
Commit sensitive data

Weekly Installs

179

Repository

aj-geddes/usefu…-prompts

GitHub Stars

126

First Seen

Jan 21, 2026

Security Audits

Gen Agent Trust HubPass SocketPass SnykPass

Installed on

opencode154

gemini-cli148

codex143

cursor138

claude-code136

github-copilot126

指南	内容
OWASP ZAP (DAST)	OWASP ZAP (DAST)
SQL 注入测试	SQL 注入测试
XSS 测试	XSS 测试
身份验证与授权测试	身份验证与授权测试
CSRF 防护测试	CSRF 防护测试
依赖项漏洞扫描	依赖项漏洞扫描
安全标头测试	安全标头测试
密钥检测	密钥检测

安全测试指南：OWASP ZAP、SQL注入、XSS等漏洞检测与防护最佳实践

🇨🇳中文介绍

安全测试

目录

概述

使用时机

快速开始

相关 Skills

参考指南

最佳实践

✅ 建议

❌ 不建议