| name | security-auditing |
| description | Guide for conducting comprehensive security audits of code to identify vulnerabilities. This skill should be used when reviewing authentication, input validation, cryptography, or API security. |
Security Audit Skill
This skill provides elite security expertise for identifying and eliminating vulnerabilities before malicious actors can exploit them.
When to Use This Skill
Invoke this skill when:
- Reviewing authentication and authorization mechanisms
- Auditing code for injection vulnerabilities (SQL, NoSQL, command, XSS)
- Validating input sanitization and data protection measures
- Assessing cryptographic implementations and key management
- Analyzing API security, rate limiting, and authorization controls
- Conducting security reviews of new features or code changes
- Auditing payment processing, file uploads, or sensitive data handling
- Investigating potential security vulnerabilities reported by users or tools
Core Security Expertise
1. Authentication & Authorization Vulnerabilities
To identify authentication and authorization issues, examine:
- Password policies and storage mechanisms (bcrypt, argon2 vs plaintext)
- Session management and token expiration
- Authorization checks at every protected resource
- JWT token implementation (secret strength, expiration, algorithm)
- OAuth/SAML flows for common implementation errors
- Multi-factor authentication bypass opportunities
Key Rules:
- Never trust client-side authorization checks alone
- Every protected endpoint must verify both authentication AND authorization
- Session tokens should have appropriate timeouts and secure flags
2. Injection Attacks
To detect injection vulnerabilities, trace user input through:
- Database queries (SQL injection, NoSQL operator injection)
- System commands (command injection, path traversal)
- Template engines (template injection, SSTI)
- XML parsers (XXE injection)
- LDAP queries (LDAP injection)
Key Rules:
- User input must be validated, sanitized, and parameterized
- Never concatenate user input directly into queries or commands
- Use ORM/query builders with parameterization, not string concatenation
3. Input Validation & Sanitization
To validate input handling, check for:
- Whitelist-based validation on all user inputs
- Proper encoding for output contexts (HTML, JavaScript, URL, SQL)
- File upload restrictions (type, size, content validation)
- Mass assignment protection on data models
- Type validation to prevent coercion attacks
Key Rules:
- Validate on the server side, never trust client-side validation alone
- Use context-appropriate encoding when outputting user data
- Implement file upload validation beyond just file extension checks
4. Data Protection & Cryptography
To assess data protection, evaluate:
- Sensitive data identification and classification (PII, credentials, tokens)
- Encryption at rest (database fields, file storage)
- Encryption in transit (HTTPS enforcement, certificate validation)
- Cryptographic algorithm strength (avoid MD5, SHA1, DES, ECB mode)
- Key management and rotation procedures
- Timing attack vulnerabilities in comparison operations
Key Rules:
- Never store passwords in plaintext or with reversible encryption
- Use industry-standard libraries (not custom cryptography)
- Enforce HTTPS for all sensitive data transmission
5. API Security
To audit API security, review:
- Rate limiting implementation on all endpoints
- Object-level authorization (IDOR prevention)
- Excessive data exposure in API responses
- Security headers (CORS, CSP, HSTS, X-Frame-Options)
- API key rotation and secure storage
- Mass assignment vulnerabilities in request handlers
Key Rules:
- Implement rate limiting based on business requirements
- Return only the data the user is authorized to see
- Use security headers to enforce browser-side protections
6. Business Logic Vulnerabilities
To find business logic flaws, analyze:
- Race conditions in critical operations (TOCTOU issues)
- Price manipulation opportunities
- Privilege escalation paths through workflow abuse
- State transition validation
- Anti-automation controls (CAPTCHA, rate limiting)
Key Rules:
- Critical operations should be atomic and idempotent
- Validate state transitions, not just individual states
- Implement transaction-level integrity checks
Audit Methodology
When reviewing code, follow this systematic approach:
- Threat Modeling: Identify attack surfaces and potential threat actors
- Code Flow Analysis: Trace data flow from user input to sensitive operations
- Vulnerability Scanning: Systematically check for known vulnerability patterns
- Attack Simulation: Think like an attacker - how would this be exploited?
- Defense Verification: Validate that security controls are properly implemented
- Compliance Check: Ensure adherence to standards (OWASP Top 10, PCI-DSS, GDPR)
Report Output Format
IMPORTANT: The section below defines the COMPLETE report structure that MUST be used. Do NOT create your own format or simplified version.
Location and Naming
- Directory:
/docs/security/ - Filename:
YYYY-MM-DD-HHMMSS-security-audit.md - Example:
2025-10-29-143022-security-audit.md
Report Template
🚨 CRITICAL INSTRUCTION - READ CAREFULLY 🚨
You MUST use this exact template structure for ALL security audit reports. This is MANDATORY and NON-NEGOTIABLE.
REQUIREMENTS:
- ✅ Use the COMPLETE template structure below - ALL sections are REQUIRED
- ✅ Follow the EXACT heading hierarchy (##, ###, ####)
- ✅ Include ALL section headings as written in the template
- ✅ Use the finding numbering format: C-001, H-001, M-001, L-001, etc.
- ✅ Include the tables, code examples, and checklists as shown
- ❌ DO NOT create your own format or structure
- ❌ DO NOT skip or combine sections
- ❌ DO NOT create abbreviated or simplified versions
- ❌ DO NOT number issues as "1, 2, 3" - use C-001, H-001, M-001 format
If you do not follow this template exactly, the report will be rejected.
## Executive SummaryAudit Overview
- Target System: [Application Name/System]
- Analysis Date: [Date Range]
- Analysis Scope: [Web Application/API/Full Codebase]
- Technology Stack: [e.g., .NET 8, Umbraco CMS, Azure AD B2C, SQL Server, Elasticsearch]
Risk Assessment Summary
| Risk Level | Count | Percentage |
|---|---|---|
| Critical | X | X% |
| High | X | X% |
| Medium | X | X% |
| Low | X | X% |
| Total | X | 100% |
Key Findings
- Critical Issues: X findings requiring immediate attention
- OWASP Top 10 Compliance: X/10 categories compliant
- Overall Security Score: X/100 (based on vulnerability severity and coverage)
Analysis Methodology
Security Analysis Approach
- Code Pattern Analysis: Comprehensive source code review for security anti-patterns
- Dependency Vulnerability Assessment: Analysis of package dependencies and known CVEs
- Configuration Security Review: Examination of configuration files and settings
- Architecture Security Analysis: Review of authentication, authorization, and data flow patterns
Analysis Coverage
- Files Analyzed: X source files across Y projects
- Dependencies Reviewed: X packages and libraries
- Configuration Files: X config files examined
- Security Patterns Checked: OWASP Top 10, common vulnerability patterns
Analysis Capabilities
- Pattern Detection: SQL injection, XSS, authentication bypasses, insecure configurations
- Dependency Analysis: Outdated packages, known vulnerabilities, licensing issues
- Code Flow Analysis: Authentication flows, authorization checks, data handling
- Configuration Assessment: Security headers, secrets management, encryption settings
Security Findings
Critical Risk Findings
C-001: SQL Injection Vulnerability
Location: src/Website.Data/Services/UserService.cs:45
Risk Score: 9.8 (Critical)
Pattern Detected: Direct string concatenation in SQL query construction
Code Context:
var query = $"SELECT * FROM Users WHERE id = {userId}";
Impact: Complete database compromise, data exfiltration, system takeover Recommendation: Replace with parameterized queries using Entity Framework or SqlParameter Fix Priority: Immediate (within 24 hours)
C-002: Authentication Bypass
Location: src/Website.Security/Middleware/AuthMiddleware.cs:67
Risk Score: 9.1 (Critical)
Pattern Detected: JWT token validation can be bypassed with null/empty checks
Code Context: Missing signature verification in token validation logic
Impact: Unauthorized access to protected resources
Recommendation: Implement proper JWT signature validation and expiration checks
Fix Priority: Immediate (within 48 hours)
High Risk Findings
H-001: Hardcoded Secrets
Location: Multiple configuration files and source files Risk Score: 7.5 (High) Pattern Detected: API keys, connection strings, and secrets in source code Affected Files:
src/Website.Web/appsettings.jsonsrc/Website.Core/Services/ExternalApiService.cs:23Impact: Credential compromise, unauthorized system access Recommendation: Move all secrets to secure configuration (Azure Key Vault, environment variables) Fix Priority: Within 1 week
H-002: Insufficient Access Controls
Location: src/Website.Core/Controllers/AdminController.cs
Risk Score: 7.2 (High)
Pattern Detected: Administrative endpoints lack proper role-based authorization
Code Context: Missing [Authorize(Roles = "Admin")] attributes on sensitive operations
Impact: Privilege escalation, unauthorized administrative access
Recommendation: Implement granular role-based access control with proper attribute decorations
Fix Priority: Within 2 weeks
Medium Risk Findings
M-001: Cross-Site Scripting (XSS)
Location: Multiple view templates and API responses Risk Score: 6.1 (Medium) Pattern Detected: Unencoded user input rendered in HTML responses Affected Areas: User profile pages, search results, comment sections Impact: Session hijacking, credential theft, phishing attacks Recommendation: Implement automatic HTML encoding and Content Security Policy headers Fix Priority: Within 1 month
M-002: Insecure Direct Object References
Location: src/Website.Core/Controllers/DocumentController.cs:89
Risk Score: 5.4 (Medium)
Pattern Detected: Document access by ID without ownership validation
Code Context: Direct parameter usage without authorization checks
Impact: Unauthorized access to sensitive documents
Recommendation: Implement object-level authorization checks before resource access
Fix Priority: Within 1 month
Low Risk Findings
L-001: Missing Security Headers
Location: Web server configuration Risk Score: 3.7 (Low) Pattern Detected: Security headers not configured in middleware pipeline Missing Headers: HSTS, X-Frame-Options, X-Content-Type-Options, CSP Impact: Reduced defense against clickjacking and MITM attacks Recommendation: Configure comprehensive security headers in startup configuration Fix Priority: Within 2 months
Architecture Security Assessment
Authentication & Authorization Analysis
- Azure AD B2C Integration: ✅ Properly configured with secure redirect URIs
- Session Management: ⚠️ Security stamp validation implementation needs improvement
- Role-Based Access Control: ❌ Insufficient granularity, missing authorization checks
- API Authentication: ❌ Bearer token validation inconsistent across controllers
Data Protection Analysis
- Sensitive Data Handling: ❌ Personal data logged in plain text, insufficient encryption
- Input Validation: ⚠️ Some endpoints lack comprehensive validation
- Output Encoding: ❌ XSS vulnerabilities in multiple view templates
- Error Handling: ⚠️ Some error messages expose internal system information
Dependency Security Analysis
- Package Vulnerabilities: ⚠️ 3 high-severity CVEs detected in NuGet packages
- Outdated Dependencies: ❌ 12 packages with available security updates
- License Compliance: ✅ All dependencies use compatible licenses
- Supply Chain Security: ⚠️ Some packages from unofficial sources
OWASP Top 10 2021 Compliance Analysis
| Risk Category | Compliance Status | Assessment |
|---|---|---|
| A01 - Broken Access Control | ❌ Non-Compliant | 5 instances of missing authorization checks |
| A02 - Cryptographic Failures | ⚠️ Partial | Some data encrypted, but secrets management insufficient |
| A03 - Injection | ❌ Non-Compliant | SQL injection vulnerabilities detected |
| A04 - Insecure Design | ✅ Compliant | Good separation of concerns and architecture |
| A05 - Security Misconfiguration | ❌ Non-Compliant | Missing security headers and default configurations |
| A06 - Vulnerable Components | ⚠️ Partial | Some outdated dependencies with known CVEs |
| A07 - Identity & Auth Failures | ❌ Non-Compliant | Authentication bypass and weak session management |
| A08 - Data Integrity Failures | ⚠️ Partial | Some validation present but inconsistent |
| A09 - Security Logging Failures | ⚠️ Partial | Basic logging but insufficient security event coverage |
| A10 - Server-Side Request Forgery | ✅ Compliant | No SSRF patterns detected |
Overall OWASP Compliance: 40% (4/10 categories fully compliant)
Technical Recommendations
Immediate Code Fixes
- Replace all string concatenation in SQL queries with parameterized queries
- Remove hardcoded secrets from source code and configuration files
- Add missing authorization attributes to administrative endpoints
- Fix JWT token validation to include proper signature verification
Security Enhancements
- Implement comprehensive input validation using data annotations and custom validators
- Add automatic HTML encoding for all user-generated content
- Configure security headers middleware in the application pipeline
- Update vulnerable dependencies to latest secure versions
Architecture Improvements
- Implement centralized secrets management using Azure Key Vault
- Add comprehensive security logging for authentication and authorization events
- Implement rate limiting for API endpoints
- Add automated security testing to the CI/CD pipeline
Code Remediation Examples
SQL Injection Fix
Before (Vulnerable):
var query = $"SELECT * FROM Users WHERE id = {userId}";
var user = context.Database.SqlQuery<User>(query).FirstOrDefault();
After (Secure):
var user = context.Users.FirstOrDefault(u => u.Id == userId);
// OR using parameterized query if raw SQL needed
var query = "SELECT * FROM Users WHERE id = @userId";
var user = context.Database.SqlQuery<User>(query, new SqlParameter("@userId", userId)).FirstOrDefault();
Authorization Fix
Before (Vulnerable):
[HttpDelete]
public IActionResult DeleteUser(int id)
{
// No authorization check
userService.Delete(id);
return Ok();
}
After (Secure):
[HttpDelete]
[Authorize(Roles = "Admin")]
public IActionResult DeleteUser(int id)
{
userService.Delete(id);
return Ok();
}
Risk Mitigation Priorities
Phase 1: Critical Vulnerability Remediation
- Fix SQL injection in
UserService.cs:45 - Patch authentication bypass in
AuthMiddleware.cs:67 - Remove hardcoded API keys from configuration files
- Add missing authorization checks to admin endpoints
Phase 2: High Risk Resolution
- Implement proper secrets management
- Fix XSS vulnerabilities in view templates
- Update vulnerable NuGet packages
- Add comprehensive input validation
Phase 3: Medium Risk and Configuration
- Configure security headers middleware
- Implement object-level authorization
- Add security event logging
- Fix insecure direct object references
Phase 4: Security Hardening
- Implement rate limiting
- Add automated security testing
- Complete OWASP compliance review
- Document security procedures
Summary
This security analysis identified X critical, Y high, Z medium, and W low risk vulnerabilities across the codebase. The analysis focused on code patterns, dependency vulnerabilities, and configuration security without requiring manual penetration testing or third-party tools.
Key Strengths Identified:
- Good architectural separation of concerns
- Proper use of modern authentication framework (Azure AD B2C)
- No SSRF vulnerabilities detected
Critical Areas Requiring Immediate Attention:
- SQL injection vulnerabilities requiring immediate patching
- Authentication bypass issues
- Hardcoded secrets in source code
- Missing authorization controls
Severity Assessment Framework
When determining severity, apply these criteria:
- CRITICAL: Can an unauthenticated attacker access sensitive data or compromise the system?
- HIGH: Can an authenticated user escalate privileges or access other users' data?
- MEDIUM: Does exploitation require specific conditions or insider knowledge?
- LOW: Is this a defense-in-depth improvement or minor information disclosure?
Examples
Example 1: SQL Injection
Bad approach:
const query = `SELECT * FROM users WHERE email = '${userEmail}'`;
db.query(query);
Good approach:
const query = 'SELECT * FROM users WHERE email = ?';
db.query(query, [userEmail]);
Example 2: Password Storage
Bad approach:
user.password = md5(password);
Good approach:
user.password = await bcrypt.hash(password, 12);
Example 3: Authorization Check
Bad approach:
// Only checking authentication, not authorization
if (req.user) {
return db.getOrder(req.params.orderId);
}
Good approach:
// Check both authentication and authorization
if (req.user) {
const order = await db.getOrder(req.params.orderId);
if (order.userId !== req.user.id) {
throw new ForbiddenError();
}
return order;
}
Best Practices
Assume Breach Mentality: Design systems assuming attackers will gain some level of access. Implement defense-in-depth with multiple layers of security.
Validate Context: Consider the specific project architecture, technology stack, and business requirements when assessing vulnerabilities. A vulnerability's severity depends on context.
Provide Actionable Fixes: Every finding should include specific, implementable remediation steps with code examples where possible.
Balance Security and Usability: Recommend security measures that don't break functionality. Verify proposed fixes work with the existing architecture.
Think Like an Attacker: For each vulnerability, demonstrate concrete exploit scenarios to illustrate the real-world impact.
Acknowledge Good Security: Recognize properly implemented security controls to reinforce positive patterns and build trust.
Quality Assurance Checklist
Before finalizing a security audit, verify:
- ✓ Have all user input points been identified and traced?
- ✓ Have sensitive data flows been traced end-to-end?
- ✓ Have both authenticated and unauthenticated attack vectors been considered?
- ✓ Are remediation recommendations specific and actionable?
- ✓ Have recommendations been validated to ensure they don't break functionality?
- ✓ Has business context and risk tolerance been factored into severity assessments?
Context-Aware Analysis
When project-specific context is available in CLAUDE.md files, incorporate:
- Project Architecture: Understand security boundaries and trust zones
- Technology Stack: Identify framework-specific vulnerabilities and security features
- Business Logic: Recognize domain-specific security requirements
- Compliance Requirements: Note regulatory constraints (PCI-DSS, HIPAA, GDPR)
- Existing Security Measures: Build upon established security patterns
Communication Guidelines
When reporting findings:
- Be direct and precise about security risks
- Use technical terminology accurately
- Provide concrete exploit scenarios to demonstrate impact
- Include code snippets showing both vulnerable and secure implementations
- Balance thoroughness with clarity - reports should be actionable
- Acknowledge properly implemented security controls
- Escalate critical findings immediately with clear urgency
Remember: The goal is not to criticize but to protect. Every vulnerability found and fixed is a potential breach prevented. Be thorough, be precise, and always think like an attacker while defending like a guardian.