一键在 Manus 中运行任何 Skill

$pwd:

api-security-review

Name: Api Security Review
Author: OWASP

// Comprehensive API security review against OWASP API Security Top 10 (2023). Use when reviewing OpenAPI/Swagger specs, auditing REST/GraphQL/gRPC implementations, testing authentication mechanisms, or checking API gateway configurations. Covers BOLA/IDOR, broken auth, mass assignment, rate limiting, SSRF, and more with real-world attack scenarios.

在 Manus 中运行

$ git log --oneline --stat

stars:78

forks:8

updated:2026年5月17日 20:08

SKILL.md

readonly

name	api-security-review
description	Comprehensive API security review against OWASP API Security Top 10 (2023). Use when reviewing OpenAPI/Swagger specs, auditing REST/GraphQL/gRPC implementations, testing authentication mechanisms, or checking API gateway configurations. Covers BOLA/IDOR, broken auth, mass assignment, rate limiting, SSRF, and more with real-world attack scenarios.
license	CC-BY-4.0

API Security Review

Perform comprehensive API security assessment following plays/api-security-review.md.

Steps

Discovery & Reconnaissance
- Parse OpenAPI/Swagger specs or scan code for endpoints
- Identify authentication mechanisms (JWT, OAuth 2.0, API keys, mTLS)
- Map API gateway and middleware configurations
- Enumerate all API versions and deprecated endpoints
Authentication Deep Dive
- JWT security (algorithm confusion, weak signing, token expiration)
- OAuth 2.0 flows (PKCE, state parameter, redirect URI validation)
- API key exposure and rotation policies
- Session management and token storage
Assess All 10 OWASP API Risks with attack scenarios:
- API1 BOLA — IDOR via predictable IDs, batch endpoint bypasses, ownership verification gaps
- API2 Broken Authentication — JWT attacks, OAuth flaws, brute force, credential stuffing
- API3 BOPA — Mass assignment, response over-exposure, field-level authz bypasses
- API4 Resource Consumption — Rate limit bypasses, pagination abuse, GraphQL DoS
- API5 BFLA — Admin endpoint discovery, horizontal/vertical privilege escalation
- API6 Business Flows — Automated abuse, inventory exhaustion, scraping attacks
- API7 SSRF — URL bypasses, DNS rebinding, cloud metadata access
- API8 Misconfiguration — CORS bypasses, verbose errors, missing headers
- API9 Inventory — Shadow APIs, zombie endpoints, version confusion
- API10 Unsafe Consumption — XXE, deserialization, webhook replay attacks
Automated Testing
- Run API security scanners (OWASP ZAP, Burp Suite, Postman tests)
- Test for common vulnerabilities with specific payloads
- Validate rate limiting and throttling mechanisms
API Gateway & Infrastructure Review
- Kong, nginx, Envoy, AWS API Gateway configurations
- WAF rules and bypass opportunities
- TLS configuration and certificate validation

Output

Comprehensive API security report including:

API surface inventory with authentication mechanisms
Risk matrix with severity ratings for all 10 categories
Detailed findings with proof-of-concept examples
Exploit scenarios and business impact analysis
Prioritized remediation roadmap with code examples
Testing artifacts and vulnerability evidence

OWASP References

OWASP API Security Top 10 (2023)
OWASP ASVS v5.0 — V13: API and Web Service
OWASP Testing Guide: WSTG-APIT
OWASP Cheat Sheet: REST Security, GraphQL Security, JWT Security, OAuth 2.0

related-skills.json

同仓库

agent-security-audit.md

from "OWASP/secure-agent-playbook"

Audit AI agent configurations for security risks — excessive permissions, prompt injection surfaces, data exfiltration paths, and missing guardrails. Use when reviewing CLAUDE.md files, MCP configs, agent orchestration code, or any AI agent setup.

2026-05-1778

agentic-ai-risk-assess.md

from "OWASP/secure-agent-playbook"

Assess agentic AI applications against the OWASP Top 10 for Agentic Applications 2026. Use when reviewing autonomous AI agents, multi-agent systems, or agentic workflows for security risks including goal hijacking, tool misuse, privilege abuse, and rogue agent behavior.

2026-05-1778

llm-risk-assess.md

from "OWASP/secure-agent-playbook"

Comprehensive LLM security assessment against OWASP Top 10 for LLM Applications 2025. Use when reviewing LLM-integrated applications, RAG pipelines, chatbots, AI agents, or GenAI features. Covers prompt injection, data poisoning, supply chain, excessive agency, and more with real-world attack scenarios and testing methodologies.

2026-05-1778

mcp-server-review.md

from "OWASP/secure-agent-playbook"

Security review of MCP (Model Context Protocol) server implementations and configurations. Use when auditing MCP server source code, evaluating third-party MCP servers before installation, or reviewing Claude Code MCP integrations for overpermissioning, injection risks, and data exposure.

2026-05-1778

prompt-injection-test.md

from "OWASP/secure-agent-playbook"

Test LLM-integrated applications against known prompt injection techniques, evasion methods, and attack intents using the Arcanum PI Taxonomy. Use when red-teaming AI apps, validating guardrails, or deepening LLM01 (Prompt Injection) assessments.

2026-05-1778

code-review-security.md

from "OWASP/secure-agent-playbook"

Security-focused code review mapped to OWASP Top 10 and ASVS. Use when reviewing pull requests, auditing files or modules for vulnerabilities, or performing pre-merge security gate checks. Covers injection, auth, authorization, cryptography, data exposure, misconfiguration, and deserialization.

2026-05-1778

package.json

"author": "OWASP"

"repository": "OWASP/secure-agent-playbook"

打开 GitHub 仓库查看创作者相关仓库

$ install --global

$ download --local

在 Manus 中运行

$ useful --forSOC

信息安全分析师计算机与数学类职业15-1212L4

name	api-security-review
description	Comprehensive API security review against OWASP API Security Top 10 (2023). Use when reviewing OpenAPI/Swagger specs, auditing REST/GraphQL/gRPC implementations, testing authentication mechanisms, or checking API gateway configurations. Covers BOLA/IDOR, broken auth, mass assignment, rate limiting, SSRF, and more with real-world attack scenarios.
license	CC-BY-4.0

API Security Review

Perform comprehensive API security assessment following plays/api-security-review.md.

Steps

Discovery & Reconnaissance
- Parse OpenAPI/Swagger specs or scan code for endpoints
- Identify authentication mechanisms (JWT, OAuth 2.0, API keys, mTLS)
- Map API gateway and middleware configurations
- Enumerate all API versions and deprecated endpoints
Authentication Deep Dive
- JWT security (algorithm confusion, weak signing, token expiration)
- OAuth 2.0 flows (PKCE, state parameter, redirect URI validation)
- API key exposure and rotation policies
- Session management and token storage
Assess All 10 OWASP API Risks with attack scenarios:
- API1 BOLA — IDOR via predictable IDs, batch endpoint bypasses, ownership verification gaps
- API2 Broken Authentication — JWT attacks, OAuth flaws, brute force, credential stuffing
- API3 BOPA — Mass assignment, response over-exposure, field-level authz bypasses
- API4 Resource Consumption — Rate limit bypasses, pagination abuse, GraphQL DoS
- API5 BFLA — Admin endpoint discovery, horizontal/vertical privilege escalation
- API6 Business Flows — Automated abuse, inventory exhaustion, scraping attacks
- API7 SSRF — URL bypasses, DNS rebinding, cloud metadata access
- API8 Misconfiguration — CORS bypasses, verbose errors, missing headers
- API9 Inventory — Shadow APIs, zombie endpoints, version confusion
- API10 Unsafe Consumption — XXE, deserialization, webhook replay attacks
Automated Testing
- Run API security scanners (OWASP ZAP, Burp Suite, Postman tests)
- Test for common vulnerabilities with specific payloads
- Validate rate limiting and throttling mechanisms
API Gateway & Infrastructure Review
- Kong, nginx, Envoy, AWS API Gateway configurations
- WAF rules and bypass opportunities
- TLS configuration and certificate validation

Output

Comprehensive API security report including:

API surface inventory with authentication mechanisms
Risk matrix with severity ratings for all 10 categories
Detailed findings with proof-of-concept examples
Exploit scenarios and business impact analysis
Prioritized remediation roadmap with code examples
Testing artifacts and vulnerability evidence

OWASP References

OWASP API Security Top 10 (2023)
OWASP ASVS v5.0 — V13: API and Web Service
OWASP Testing Guide: WSTG-APIT
OWASP Cheat Sheet: REST Security, GraphQL Security, JWT Security, OAuth 2.0

api-security-review

API Security Review

Steps

Output

OWASP References

同仓库更多 Skills

同仓库更多 Skills

API Security Review

Steps

Output

OWASP References