Loading...

security-testing

Original：🇨🇳 Chinese

Translated

1 scripts

Design security testing solutions, including OWASP Top 10, penetration testing, and vulnerability scanning. Default output is Markdown, and Excel/CSV/JSON output is available upon request. Use for security testing or security-testing.

2installs

Sourcenaodeng/awesome-qa-skills

Added on2026-03-04

NPX Install

npx skill4agent add naodeng/awesome-qa-skills security-testing

Tags

Translated version includes tags in frontmatter

security-testing owasp-top10 penetration-testing vulnerability-scanning zap-automation

SKILL.md Content (Chinese)

View Translation Comparison →

Security Testing (Chinese Version)

English Version: See the skill

security-testing-en

.

Prompt templates can be found in

prompts/security-testing.md

in this directory.

When to Use

When the user mentions "security testing" or "security-testing"
Need to execute such tests or deliver corresponding artifacts based on Standard-version
Trigger Examples: "Generate/design/write... based on the following content"

Output Format Options

Default is Markdown. If you need Excel / CSV / JSON, please specify it at the end of your request. For details, see output-formats.md.

How to Use

Open
```
prompts/security-testing.md
```
in this directory, copy the content below the dashed line into the AI conversation.
Attach your specific requirements.
If you need Excel/CSV/JSON, add the request sentence from output-formats.md at the end.

Code Examples

1. OWASP ZAP Security Scan

Complete OWASP ZAP security testing examples, including baseline scan, full scan, and API scan.

Location:

examples/owasp-zap-scan/

Included Content:

Baseline scan script (quick scan)
Full scan script (deep scan)
API scan script
Automated run script
Detailed README documentation

Quick Start:

bash

cd examples/owasp-zap-scan
./run-scan.sh baseline https://example.com

Test Coverage:

SQL injection detection
XSS vulnerability detection
CSRF vulnerability detection
Security configuration check
API security testing

For details: examples/owasp-zap-scan/README.md

Best Practices

Security Testing Principles

OWASP Top 10
- Injection Attacks
- Broken Authentication
- Sensitive Data Exposure
- XML External Entities (XXE)
- Broken Access Control
- Security Misconfiguration
- Cross-Site Scripting (XSS)
- Insecure Deserialization
- Using Components with Known Vulnerabilities
- Insufficient Logging & Monitoring
Testing Phases
- Development Phase: Static Code Analysis
- Testing Phase: Dynamic Security Testing
- Pre-Release: Penetration Testing
- Production Environment: Continuous Monitoring
Testing Methods
- Black-box Testing: No knowledge of internal implementation
- White-box Testing: Full knowledge of internal implementation
- Gray-box Testing: Partial knowledge of internal implementation

Tool Selection Recommendations

Tool	Applicable Scenario	Advantages
OWASP ZAP	Web Application Security	Open-source, easy to use, automated
Burp Suite	Penetration Testing	Powerful, professional
Nmap	Network Scanning	Port scanning, service identification
SQLMap	SQL Injection	Automated injection testing
Nikto	Web Server	Fast vulnerability scanning

Troubleshooting

Common Issues

1. ZAP Scan Timeout

Problem: Scan takes too long or times out

Solution:

bash

# Increase timeout
zap-baseline.py -t http://example.com --timeout 300

# Limit scan depth
zap-baseline.py -t http://example.com -m 3

2. Too Many False Positives

Problem: Scan results contain a large number of false positives

Solution:

Use custom scan policies
Exclude known false positives
Manually verify high-risk vulnerabilities
Adjust scan levels

3. Cannot Scan Authenticated Pages

Problem: ZAP cannot access pages after login

Solution:

bash

# Configure authentication
zap-cli auth \
  --auth-mode form \
  --auth-url http://example.com/login \
  --auth-username user \
  --auth-password pass

4. Docker Permission Issues

Problem: Cannot write report files

Solution:

bash

# Use correct permissions
docker run -u $(id -u):$(id -g) \
  -v $(pwd):/zap/wrk/:rw \
  owasp/zap2docker-stable \
  zap-baseline.py -t http://example.com

5. Certificate Verification Error

Problem: SSL certificate verification failed

Solution:

bash

# Skip certificate verification (test environment only)
zap-baseline.py -t https://example.com --hook-script skip-cert-check.py

6. Scan Blocked by WAF

Problem: Requests are blocked by Web Application Firewall

Solution:

Reduce scan speed
Use random User-Agent
Coordinate testing time with the security team
Use whitelisted IPs

7. Difficulty Interpreting Reports

Problem: Do not understand vulnerabilities in scan reports

Solution:

Refer to OWASP documentation
Manually verify vulnerabilities
Consult security experts
Refer to CVE database

Reference Files

prompts/security-testing.md — Security testing Standard-version prompt templates
output-formats.md — Instructions for requesting Markdown / Excel / CSV / JSON output
examples/owasp-zap-scan/ — Complete OWASP ZAP examples
quick-start.md — 5-minute quick start guide