القائمة
Run OWASP+ security vulnerability testing on a URL. Use when user wants to test security, find XSS, SQL injection, check headers, CSRF, authentication security, or data exposure.
التثبيت باستخدام Codex أو Claude انسخ هذا Prompt والصقه في Codex أو Claude أو مساعد آخر ليراجع صفحة Skill ويثبّتها لك.
استنادا إلى تصنيف SOC المهني
Master index for all UI testing skills. Lists available test suites and their coverage.
Run comprehensive WCAG 2.1 AA+ accessibility tests on a URL. Use when user wants to test accessibility, a11y compliance, screen reader support, or keyboard navigation.
Run the complete UI testing suite — all 16 test skills across functional testing and UX design quality. Use when user wants a comprehensive site audit, full test suite, or complete quality assessment.
Audit design system consistency across pages. Use when user wants to check visual consistency, design tokens, component reuse, color palette, typography, spacing, or cross-page uniformity.
Analyze conversion optimization, cognitive load, and trust signals. Use when user wants to audit conversion funnels, reduce friction, analyze cognitive load, check trust signals, or optimize CTAs.
Test cross-browser consistency across Chromium, Firefox, and WebKit. Use when user wants to verify browser compatibility, cross-browser layout, or browser-specific issues.
| name | test-security |
| description | Run OWASP+ security vulnerability testing on a URL. Use when user wants to test security, find XSS, SQL injection, check headers, CSRF, authentication security, or data exposure. |
| allowed-tools | Bash(playwright-cli:*) Bash(npx:*) Bash(mkdir:*) |
Run 55 security test cases across 5 parallel agents covering injection attacks, HTTP security headers, authentication security, data exposure, and client-side vulnerabilities.
Authorization context: This skill is designed for authorized security testing — pentesting engagements, security audits, and development/staging environments. Always test only URLs you own or have explicit permission to test.
URL="${ARGUMENTS:-http://localhost:3000}"
TIMESTAMP=$(date +%Y%m%d-%H%M%S)
OUTDIR="test-results/test-security/$TIMESTAMP"
mkdir -p "$OUTDIR/screenshots" "$OUTDIR/snapshots" "$OUTDIR/traces"
Before running, verify prerequisites per references/prerequisites.md.
-s=sec-injection)Tests injection vulnerabilities across all input vectors.
playwright-cli -s=sec-injection open "$URL"
playwright-cli -s=sec-injection tracing-start
playwright-cli -s=sec-injection snapshot --filename="$OUTDIR/snapshots/injection-initial.yaml"
Test Cases:
| TC | Test | How to Check |
|---|---|---|
| TC-S1 | Reflected XSS in inputs + URL params | Fill every input with <script>alert(1)</script>, submit, check if script appears unescaped in DOM. Also test URL params: ?q=<script>alert(1)</script> |
| TC-S2 | Stored XSS | Submit XSS payload, reload page, run-code to check for script execution or unescaped payload in DOM |
| TC-S3 | DOM-based XSS | Navigate to URL#<img onerror=alert(1) src=x>, check DOM. Try javascript: in URL inputs |
| TC-S4 | SVG XSS | If file upload exists: attempt upload with SVG containing <svg onload=alert(1)>. Also test <svg> in text inputs |
| TC-S5 | SQL injection | Fill inputs with ' OR 1=1--, '; DROP TABLE users--, ' UNION SELECT null--, check for database errors or unexpected data |
| TC-S6 | NoSQL injection | If JSON-based forms: test {"$gt": ""}, {"$ne": null} patterns via run-code with fetch API |
| TC-S7 | Command injection | Fill inputs with ; ls, `whoami`, $(cat /etc/passwd), check for command output in response |
| TC-S8 | HTML injection | Fill inputs with <h1>injected</h1>, <iframe src=evil.com>, verify HTML is escaped in output |
| TC-S9 | LDAP/XPath injection | Fill inputs with *)(objectClass=*, ' or '1'='1, check for errors |
| TC-S10 | Template injection | Fill inputs with {{7*7}}, ${7*7}, <%= 7*7 %>, check if output shows 49 |
playwright-cli -s=sec-injection tracing-stop
playwright-cli -s=sec-injection close
-s=sec-headers)Tests HTTP security headers and TLS configuration.
playwright-cli -s=sec-headers open "$URL"
playwright-cli -s=sec-headers tracing-start
Test Cases:
Use run-code with fetch(url) to inspect response headers, or playwright-cli network after page load.
| TC | Test | How to Check |
|---|---|---|
| TC-S11 | Content-Security-Policy present + configured | run-code to fetch and check CSP header exists, has script-src, style-src, default-src |
| TC-S12 | X-Frame-Options or CSP frame-ancestors | Check for X-Frame-Options: DENY/SAMEORIGIN or CSP frame-ancestors directive |
| TC-S13 | X-Content-Type-Options: nosniff | Check header present and value is nosniff |
| TC-S14 | Strict-Transport-Security (HSTS) | Check for HSTS header with includeSubDomains and reasonable max-age (≥31536000) |
| TC-S15 | Referrer-Policy | Check for no-referrer, strict-origin, or strict-origin-when-cross-origin |
| TC-S16 | Permissions-Policy | Check header restricts camera, microphone, geolocation |
| TC-S17 | X-XSS-Protection | Check header present (legacy but still checked) |
| TC-S18 | Cache-Control on sensitive pages | Check no-store or no-cache on pages with forms/auth |
| TC-S19 | HTTPS enforcement | run-code to try HTTP URL, verify redirect to HTTPS |
| TC-S20 | Mixed content | run-code to find any HTTP resources loaded on HTTPS page (scripts, images, stylesheets) |
| TC-S21 | CORS headers properly scoped | Check Access-Control-Allow-Origin is not * on authenticated endpoints |
| TC-S22 | Server header removed/generic | Check Server header doesn't expose version info (e.g., Apache/2.4.51) |
playwright-cli -s=sec-headers tracing-stop
playwright-cli -s=sec-headers close
-s=sec-auth)Tests authentication and session security.
playwright-cli -s=sec-auth open "$URL"
playwright-cli -s=sec-auth tracing-start
Test Cases:
| TC | Test | How to Check |
|---|---|---|
| TC-S23 | CSRF tokens on state-changing forms | run-code to find forms with POST method, check for hidden CSRF token field |
| TC-S24 | CSRF token changes per session/request | Load page twice in different sessions, compare CSRF tokens |
| TC-S25 | Session cookie flags | cookie-list and check session cookies for HttpOnly, Secure, SameSite flags |
| TC-S26 | Session ID changes after login | Record session ID before login, login, compare session ID after |
| TC-S27 | Logout invalidates session | Login, save session cookie, logout, try using saved cookie, verify rejected |
| TC-S28 | Password field uses type="password" | run-code to find password fields, verify type="password" |
| TC-S29 | Login form served over HTTPS | Check login page URL starts with https:// |
| TC-S30 | No user enumeration | Try login with invalid user vs invalid password, compare error messages — should be identical |
| TC-S31 | Account lockout after N failed attempts | Attempt 5+ failed logins, check if account locks or rate limits |
| TC-S32 | Password policy enforced | Try weak passwords ("123", "password", "a"), verify rejection |
| TC-S33 | No autocomplete on sensitive fields | run-code to check autocomplete="off" or autocomplete="new-password" on password/CC fields |
| TC-S34 | JWT not stored in localStorage | localstorage-list and check for JWT tokens (long base64 strings with two dots) |
| TC-S35 | OAuth redirect_uri validated | If OAuth present: try redirect_uri=https://evil.com, verify rejected |
playwright-cli -s=sec-auth tracing-stop
playwright-cli -s=sec-auth close
-s=sec-data)Tests data exposure and privacy issues.
playwright-cli -s=sec-data open "$URL"
playwright-cli -s=sec-data tracing-start
Test Cases:
| TC | Test | How to Check |
|---|---|---|
| TC-S36 | Sensitive data in URLs | Check current URL and all links for tokens, passwords, SSN patterns in query strings |
| TC-S37 | Sensitive data in localStorage/sessionStorage | localstorage-list and sessionstorage-list, look for PII, tokens, passwords |
| TC-S38 | API keys/secrets in page source or JS | run-code to get page HTML and inline scripts, regex for API key patterns (sk_, api_key, secret) |
| TC-S39 | Source maps in production | run-code to check for .map references in loaded scripts, try fetching them |
| TC-S40 | Stack traces/debug info in errors | Trigger 404/500 errors, check response for stack traces, file paths, debug info |
| TC-S41 | Directory listing enabled | Navigate to /uploads/, /api/, /static/, check for directory listing |
| TC-S42 | Server version in headers/errors | Check Server, X-Powered-By headers for version numbers |
| TC-S43 | Sensitive files accessible | Try fetching /.env, /.git/config, /package.json, /wp-config.php, check if accessible |
| TC-S44 | PII in HTML comments | run-code to extract all HTML comments, check for emails, phone numbers, internal notes |
| TC-S45 | Credit card/SSN fields autofill exclusion | Check autocomplete="off" on CC/SSN fields |
playwright-cli -s=sec-data tracing-stop
playwright-cli -s=sec-data close
-s=sec-client)Tests client-side security vulnerabilities.
playwright-cli -s=sec-client open "$URL"
playwright-cli -s=sec-client tracing-start
Test Cases:
| TC | Test | How to Check |
|---|---|---|
| TC-S46 | Open redirects | Navigate to ?redirect=https://evil.com, ?next=//evil.com, verify no redirect to external domain |
| TC-S47 | Clickjacking protection | Verify X-Frame-Options header or CSP frame-ancestors prevents embedding in iframe |
| TC-S48 | Window.opener vulnerability | run-code to find external links without rel="noopener noreferrer" |
| TC-S49 | Insecure postMessage | run-code to find addEventListener('message') handlers, check if origin is validated |
| TC-S50 | eval()/innerHTML with user input | run-code to search page scripts for eval(, innerHTML =, document.write( patterns |
| TC-S51 | Subresource integrity (SRI) on CDN scripts | run-code to find external scripts from CDNs, check for integrity attribute |
| TC-S52 | Outdated JS libraries | run-code to detect library versions (jQuery, Bootstrap, Angular, React), flag known vulnerable versions |
| TC-S53 | WebSocket security | run-code to find WebSocket connections, verify wss:// not ws:// |
| TC-S54 | File upload without validation | If file upload exists: try uploading .html, .svg, .exe files |
| TC-S55 | Content-Disposition on downloads | Click download links, check Content-Disposition: attachment header via run-code with fetch |
playwright-cli -s=sec-client tracing-stop
playwright-cli -s=sec-client close
After execution, if any tests failed, follow the fix loop process in references/fix-loop.md.
Max 3 attempts. Only re-run failed test cases.
Include fix attempt history in the report.
After all 5 agents complete, merge results into $OUTDIR/report.md following the standard report format.
Security findings should be grouped by severity:
playwright-cli -s=sec-injection close 2>/dev/null
playwright-cli -s=sec-headers close 2>/dev/null
playwright-cli -s=sec-auth close 2>/dev/null
playwright-cli -s=sec-data close 2>/dev/null
playwright-cli -s=sec-client close 2>/dev/null