Security Audit Skill

Expertise Areas

• Vulnerabilities: XXE, SQL injection, XSS, CSRF, command injection, path traversal, file upload, deserialization, SSRF, type juggling, SSTI, JWT flaws
• Risk Scoring: CVSS v3.1 and v4.0 methodology
• Secure Coding: Input validation, output encoding, cryptography, session management, authentication
• Standards: OWASP Top 10, CWE Top 25, OWASP ASVS, Proactive Controls

Reference Files

Core

• references/owasp-top10.md

  - OWASP Top 10 patterns and mitigations

• references/cwe-top25.md

  - CWE Top 25 (2025) coverage map with PHP examples

• references/xxe-prevention.md

  - XXE detection and prevention

• references/cvss-scoring.md

  - CVSS v3.1 and v4.0 scoring methodology

• references/api-key-encryption.md

  - API key encryption at rest (sodium)

Vulnerability Prevention

• references/deserialization-prevention.md

  - Insecure deserialization prevention

• references/path-traversal-prevention.md

  - Path traversal / directory traversal prevention

• references/file-upload-security.md

  - Secure file upload handling

• references/input-validation.md

  - Input validation, CSP nonces, CORS, encoding

Secure Architecture

• references/authentication-patterns.md

  - Authentication, session, JWT, MFA patterns

• references/security-headers.md

  - HTTP security headers (HSTS, CSP, etc.)

• references/security-logging.md

  - Security logging and audit trails

• references/cryptography-guide.md

  - PHP sodium, key management, common mistakes

Framework Security

• references/framework-security.md

  - TYPO3, Symfony, Laravel security patterns

Modern Threats

• references/modern-attacks.md

  - SSRF, mass assignment, race conditions

• references/cve-patterns.md

  - CVE-derived patterns (type juggling, PHAR, SSTI, JWT, LDAP injection)

• references/php-security-features.md

  - PHP 8.x security features

DevSecOps

• references/ci-security-pipeline.md

  - SAST, dependency scanning, SBOM, container security

• references/supply-chain-security.md

  - SLSA, Sigstore, OpenSSF Scorecard

Quick Patterns

$doc->loadXML($input, LIBXML_NONET);

$stmt = $pdo->prepare('SELECT * FROM users WHERE id = ?');
$stmt->execute([$id]);

echo htmlspecialchars($input, ENT_QUOTES | ENT_HTML5, 'UTF-8');

$nonce = random_bytes(SODIUM_CRYPTO_SECRETBOX_NONCEBYTES);
$encrypted = 'enc:' . base64_encode($nonce . sodium_crypto_secretbox($apiKey, $nonce, $key));

$hash = password_hash($password, PASSWORD_ARGON2ID);

Security Checklist

• bcrypt/Argon2 for passwords, CSRF tokens on state changes
• All input validated server-side, parameterized SQL
• XML external entities disabled (LIBXML_NONET only)
• Context-appropriate output encoding, CSP configured
• API keys encrypted at rest (sodium_crypto_secretbox)
• TLS 1.2+, secrets not in VCS, audit logging
• No unserialize() with user input, use json_decode()
• File uploads validated, renamed, stored outside web root
• Security headers: HSTS, CSP, X-Content-Type-Options
• Dependencies scanned (composer audit), Dependabot enabled

Verification

# PHP project security audit
./scripts/security-audit.sh /path/to/project

# GitHub repository security audit
./scripts/github-security-audit.sh owner/repo

Contributing: https://github.com/netresearch/security-audit-skill