Back to Details

web-security-testing

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Web Security Testing Workflow

Web应用安全测试工作流

Overview

概述

Specialized workflow for testing web applications against OWASP Top 10 vulnerabilities including injection attacks, XSS, broken authentication, and access control issues.
针对OWASP Top 10漏洞的专用Web应用测试工作流,包括注入攻击、XSS、身份验证失效以及访问控制问题。

When to Use This Workflow

何时使用此工作流

Use this workflow when:
  • Testing web application security
  • Performing OWASP Top 10 assessment
  • Conducting penetration tests
  • Validating security controls
  • Bug bounty hunting
在以下场景使用此工作流:
  • 测试Web应用安全性
  • 执行OWASP Top 10评估
  • 开展渗透测试
  • 验证安全控制措施
  • 漏洞赏金狩猎

Workflow Phases

工作流阶段

Phase 1: Reconnaissance

阶段1:侦察

Skills to Invoke

需调用的技能

  • scanning-tools
    - Security scanning
  • top-web-vulnerabilities
    - OWASP knowledge
  • scanning-tools
    - 安全扫描
  • top-web-vulnerabilities
    - OWASP相关知识

Actions

操作步骤

  1. Map application surface
  2. Identify technologies
  3. Discover endpoints
  4. Find subdomains
  5. Document findings
  1. 绘制应用系统范围图
  2. 识别所用技术栈
  3. 发现端点
  4. 查找子域名
  5. 记录发现结果

Copy-Paste Prompts

可复制粘贴的提示语

Use @scanning-tools to perform web application reconnaissance
Use @scanning-tools to perform web application reconnaissance

Phase 2: Injection Testing

阶段2:注入测试

Skills to Invoke

需调用的技能

  • sql-injection-testing
    - SQL injection
  • sqlmap-database-pentesting
    - SQLMap
  • sql-injection-testing
    - SQL注入测试
  • sqlmap-database-pentesting
    - SQLMap工具

Actions

操作步骤

  1. Test SQL injection
  2. Test NoSQL injection
  3. Test command injection
  4. Test LDAP injection
  5. Document vulnerabilities
  1. 测试SQL注入
  2. 测试NoSQL注入
  3. 测试命令注入
  4. 测试LDAP注入
  5. 记录漏洞

Copy-Paste Prompts

可复制粘贴的提示语

Use @sql-injection-testing to test for SQL injection
Use @sqlmap-database-pentesting to automate SQL injection testing
Use @sql-injection-testing to test for SQL injection
Use @sqlmap-database-pentesting to automate SQL injection testing

Phase 3: XSS Testing

阶段3:XSS测试

Skills to Invoke

需调用的技能

  • xss-html-injection
    - XSS testing
  • html-injection-testing
    - HTML injection
  • xss-html-injection
    - XSS测试
  • html-injection-testing
    - HTML注入测试

Actions

操作步骤

  1. Test reflected XSS
  2. Test stored XSS
  3. Test DOM-based XSS
  4. Test XSS filters
  5. Document findings
  1. 测试反射型XSS
  2. 测试存储型XSS
  3. 测试基于DOM的XSS
  4. 测试XSS过滤器
  5. 记录发现结果

Copy-Paste Prompts

可复制粘贴的提示语

Use @xss-html-injection to test for cross-site scripting
Use @xss-html-injection to test for cross-site scripting

Phase 4: Authentication Testing

阶段4:身份验证测试

Skills to Invoke

需调用的技能

  • broken-authentication
    - Authentication testing
  • broken-authentication
    - 身份验证测试

Actions

操作步骤

  1. Test credential stuffing
  2. Test brute force protection
  3. Test session management
  4. Test password policies
  5. Test MFA implementation
  1. 测试凭证填充攻击
  2. 测试暴力破解防护
  3. 测试会话管理
  4. 测试密码策略
  5. 测试MFA实现

Copy-Paste Prompts

可复制粘贴的提示语

Use @broken-authentication to test authentication security
Use @broken-authentication to test authentication security

Phase 5: Access Control Testing

阶段5:访问控制测试

Skills to Invoke

需调用的技能

  • idor-testing
    - IDOR testing
  • file-path-traversal
    - Path traversal
  • idor-testing
    - IDOR测试
  • file-path-traversal
    - 路径遍历测试

Actions

操作步骤

  1. Test vertical privilege escalation
  2. Test horizontal privilege escalation
  3. Test IDOR vulnerabilities
  4. Test directory traversal
  5. Test unauthorized access
  1. 测试垂直权限提升
  2. 测试水平权限提升
  3. 测试IDOR漏洞
  4. 测试目录遍历
  5. 测试未授权访问

Copy-Paste Prompts

可复制粘贴的提示语

Use @idor-testing to test for insecure direct object references
Use @file-path-traversal to test for path traversal
Use @idor-testing to test for insecure direct object references
Use @file-path-traversal to test for path traversal

Phase 6: Security Headers

阶段6:安全头测试

Skills to Invoke

需调用的技能

  • api-security-best-practices
    - Security headers
  • api-security-best-practices
    - 安全头检查

Actions

操作步骤

  1. Check CSP implementation
  2. Verify HSTS configuration
  3. Test X-Frame-Options
  4. Check X-Content-Type-Options
  5. Verify referrer policy
  1. 检查CSP实现
  2. 验证HSTS配置
  3. 测试X-Frame-Options
  4. 检查X-Content-Type-Options
  5. 验证引用策略

Copy-Paste Prompts

可复制粘贴的提示语

Use @api-security-best-practices to audit security headers
Use @api-security-best-practices to audit security headers

Phase 7: Reporting

阶段7:报告生成

Skills to Invoke

需调用的技能

  • reporting-standards
    - Security reporting
  • reporting-standards
    - 安全报告生成

Actions

操作步骤

  1. Document vulnerabilities
  2. Assess risk levels
  3. Provide remediation
  4. Create proof of concept
  5. Generate report
  1. 记录漏洞
  2. 评估风险等级
  3. 提供修复建议
  4. 制作概念验证
  5. 生成报告

Copy-Paste Prompts

可复制粘贴的提示语

Use @reporting-standards to create security report
Use @reporting-standards to create security report

OWASP Top 10 Checklist

OWASP Top 10 检查清单

  • A01: Broken Access Control
  • A02: Cryptographic Failures
  • A03: Injection
  • A04: Insecure Design
  • A05: Security Misconfiguration
  • A06: Vulnerable Components
  • A07: Authentication Failures
  • A08: Software/Data Integrity
  • A09: Logging/Monitoring
  • A10: SSRF
  • A01: 访问控制失效
  • A02: 加密机制失败
  • A03: 注入攻击
  • A04: 不安全设计
  • A05: 安全配置错误
  • A06: 易受攻击的组件
  • A07: 身份验证失败
  • A08: 软件/数据完整性问题
  • A09: 日志/监控不足
  • A10: SSRF

Quality Gates

质量校验项

  • All OWASP Top 10 tested
  • Vulnerabilities documented
  • Proof of concepts captured
  • Remediation provided
  • Report generated
  • 所有OWASP Top 10漏洞已测试
  • 漏洞已记录
  • 已捕获概念验证
  • 已提供修复建议
  • 已生成报告

Related Workflow Bundles

相关工作流包

  • security-audit
    - Security auditing
  • api-security-testing
    - API security
  • wordpress-security
    - WordPress security
  • security-audit
    - 安全审计
  • api-security-testing
    - API安全测试
  • wordpress-security
    - WordPress安全测试