🇺🇸English
Security Testing
<default_to_action> When testing security or conducting audits:
- TEST OWASP Top 10 vulnerabilities systematically
- VALIDATE authentication and authorization on every endpoint
- SCAN dependencies for known vulnerabilities (npm audit)
- CHECK for injection attacks (SQL, XSS, command)
- VERIFY secrets aren't exposed in code/logs
Quick Security Checks:
- Access control → Test horizontal/vertical privilege escalation
- Crypto → Verify password hashing, HTTPS, no sensitive data exposed
- Injection → Test SQL injection, XSS, command injection
- Auth → Test weak passwords, session fixation, MFA enforcement
- Config → Check error messages don't leak info
Critical Success Factors:
- Think like an attacker, build like a defender
- Security is built in, not added at the end
- Test continuously in CI/CD, not just before release </default_to_action>
Quick Reference Card
When to Use
- Security audits and penetration testing
- Testing authentication/authorization
- Validating input sanitization
- Reviewing security configuration
OWASP Top 10 (2021)
| Vulnerability | Key Test
---|---|---
1 | Broken Access Control | User A accessing User B's data
2 | Cryptographic Failures | Plaintext passwords, HTTP
3 | Injection | SQL/XSS/command injection
4 | Insecure Design | Rate limiting, session timeout
5 | Security Misconfiguration | Verbose errors, exposed /admin
6 | Vulnerable Components | npm audit, outdated packages
7 | Auth Failures | Weak passwords, no MFA
8 | Integrity Failures | Unsigned updates, malware
9 | Logging Failures | No audit trail for breaches
10 | SSRF | Server fetching internal URLs
Tools
| Type | Tool | Purpose |
|---|
| SAST | SonarQube, Semgrep | Static code analysis |
| DAST | OWASP ZAP, Burp | Dynamic scanning |
| Deps | npm audit, Snyk | Dependency vulnerabilities |
| Secrets | git-secrets, TruffleHog | Secret scanning |
Agent Coordination
qe-security-scanner: Multi-layer SAST/DAST scanningqe-api-contract-validator: API security testingqe-quality-analyzer: Security code review
Key Vulnerability Tests
1. Broken Access Control
// Horizontal escalation - User A accessing User B's data
test('user cannot access another user\'s order', async () => {
const userAToken = await login('userA');
const userBOrder = await createOrder('userB');
const response = await api.get(`/orders/${userBOrder.id}`, {
headers: { Authorization: `Bearer ${userAToken}` }
});
expect(response.status).toBe(403);
});
// Vertical escalation - Regular user accessing admin
test('regular user cannot access admin', async () => {
const userToken = await login('regularUser');
expect((await api.get('/admin/users', {
headers: { Authorization: `Bearer ${userToken}` }
})).status).toBe(403);
});
2. Injection Attacks
// SQL Injection
test('prevents SQL injection', async () => {
const malicious = "' OR '1'='1";
const response = await api.get(`/products?search=${malicious}`);
expect(response.body.length).toBeLessThan(100); // Not all products
});
// XSS
test('sanitizes HTML output', async () => {
const xss = '<script>alert("XSS")</script>';
await api.post('/comments', { text: xss });
const html = (await api.get('/comments')).body;
expect(html).toContain('<script>');
expect(html).not.toContain('<script>');
});
3. Cryptographic Failures
test('passwords are hashed', async () => {
await db.users.create({ email: 'test@example.com', password: 'MyPassword123' });
const user = await db.users.findByEmail('test@example.com');
expect(user.password).not.toBe('MyPassword123');
expect(user.password).toMatch(/^\$2[aby]\$\d{2}\$/); // bcrypt
});
test('no sensitive data in API response', async () => {
const response = await api.get('/users/me');
expect(response.body).not.toHaveProperty('password');
expect(response.body).not.toHaveProperty('ssn');
});
4. Security Misconfiguration
test('errors don\'t leak sensitive info', async () => {
const response = await api.post('/login', { email: 'nonexistent@test.com', password: 'wrong' });
expect(response.body.error).toBe('Invalid credentials'); // Generic message
});
test('sensitive endpoints not exposed', async () => {
const endpoints = ['/debug', '/.env', '/.git', '/admin'];
for (let ep of endpoints) {
expect((await fetch(`https://example.com${ep}`)).status).not.toBe(200);
}
});
5. Rate Limiting
test('rate limiting prevents brute force', async () => {
const responses = [];
for (let i = 0; i < 20; i++) {
responses.push(await api.post('/login', { email: 'test@example.com', password: 'wrong' }));
}
expect(responses.filter(r => r.status === 429).length).toBeGreaterThan(0);
});
Security Checklist
Authentication
- Strong password requirements (12+ chars)
- Password hashing (bcrypt, scrypt, Argon2)
- MFA for sensitive operations
- Account lockout after failed attempts
- Session ID changes after login
- Session timeout
Authorization
- Check authorization on every request
- Least privilege principle
- No horizontal escalation
- No vertical escalation
Data Protection
- HTTPS everywhere
- Encrypted at rest
- Secrets not in code/logs
- PII compliance (GDPR)
Input Validation
- Server-side validation
- Parameterized queries (no SQL injection)
- Output encoding (no XSS)
- Rate limiting
CI/CD Integration
# GitHub Actions
security-checks:
steps:
- name: Dependency audit
run: npm audit --audit-level=high
- name: SAST scan
run: npm run sast
- name: Secret scan
uses: trufflesecurity/trufflehog@main
- name: DAST scan
if: github.ref == 'refs/heads/main'
run: docker run owasp/zap2docker-stable zap-baseline.py -t https://staging.example.com
Pre-commit hooks:
#!/bin/sh
git-secrets --scan
npm run lint:security
Agent-Assisted Security Testing
// Comprehensive multi-layer scan
await Task("Security Scan", {
target: 'src/',
layers: { sast: true, dast: true, dependencies: true, secrets: true },
severity: ['critical', 'high', 'medium']
}, "qe-security-scanner");
// OWASP Top 10 testing
await Task("OWASP Scan", {
categories: ['broken-access-control', 'injection', 'cryptographic-failures'],
depth: 'comprehensive'
}, "qe-security-scanner");
// Validate fix
await Task("Validate Fix", {
vulnerability: 'CVE-2024-12345',
expectedResolution: 'upgrade package to v2.0.0',
retestAfterFix: true
}, "qe-security-scanner");
Agent Coordination Hints
Memory Namespace
aqe/security/
├── scans/* - Scan results
├── vulnerabilities/* - Found vulnerabilities
├── fixes/* - Remediation tracking
└── compliance/* - Compliance status
Fleet Coordination
const securityFleet = await FleetManager.coordinate({
strategy: 'security-testing',
agents: [
'qe-security-scanner',
'qe-api-contract-validator',
'qe-quality-analyzer',
'qe-deployment-readiness'
],
topology: 'parallel'
});
Common Mistakes
❌ Security by Obscurity
Hiding admin at /super-secret-admin → Use proper auth
❌ Client-Side Validation Only
JavaScript validation can be bypassed → Always validate server-side
❌ Trusting User Input
Assuming input is safe → Sanitize, validate, escape all input
❌ Hardcoded Secrets
API keys in code → Environment variables, secret management
Compliance & Agent CLI
For v3 agent-specific commands (aqe security ...), SAST/DAST scanning code, compliance audits (SOC2/GDPR/HIPAA), secret detection, and security gates, see references/compliance-agent-commands.md.
Related Skills
- agentic-quality-engineering - Security with agents
- api-testing-patterns - API security testing
- compliance-testing - GDPR, HIPAA, SOC2
Remember
Think like an attacker: What would you try to break? Test that. Build like a defender: Assume input is malicious until proven otherwise. Test continuously: Security testing is ongoing, not one-time.
With Agents: Agents automate vulnerability scanning, track remediation, and validate fixes. Use agents to maintain security posture at scale.
Run History
After each security scan, append results to run-history.json in this skill directory:
node -e "
const fs = require('fs');
const h = JSON.parse(fs.readFileSync('.claude/skills/security-testing/run-history.json'));
h.runs.push({date: new Date().toISOString().split('T')[0], scan_types: ['sast','deps'], findings: {critical: 0, high: 0, medium: 0, low: 0}});
fs.writeFileSync('.claude/skills/security-testing/run-history.json', JSON.stringify(h, null, 2));
"
Read run-history.json before each scan — track finding count by severity over time. Alert if critical findings increase.
Skill Composition
- During code review → Use with
/code-review-quality for combined quality + security review
- Validate findings → Use
/pentest-validation to prove exploitability
- Compliance → Use
/compliance-testing for regulatory requirements
Gotchas
npm audit may report false positives for dev dependencies — filter with --omit=dev for production-relevant results- Agent may skip DAST in favor of faster SAST-only scans — explicitly request both if needed
- security-compliance domain has 100% success rate — use as model for other skill reliability
- When scanning dependencies, check both direct and transitive —
npm audit --all catches nested vulnerabilities
Weekly Installs
68
Repository
proffesor-for-t…entic-qe
GitHub Stars
281
First Seen
Jan 24, 2026
Security Audits
Gen Agent Trust HubWarnSocketWarnSnykPass
Installed on
github-copilot65
codex65
gemini-cli65
opencode65
cursor64
amp63
