security-auditing
Guide for conducting comprehensive security audits of code to identify vulnerabilities. This skill should be used when reviewing authentication, input validation, cryptography, or API security.
$ インストール
git clone https://github.com/charlesjones-dev/claude-code-plugins-dev /tmp/claude-code-plugins-dev && cp -r /tmp/claude-code-plugins-dev/plugins/ai-security/skills/security-auditing ~/.claude/skills/claude-code-plugins-dev// tip: Run this command in your terminal to install the skill
name: security-auditing description: Guide for conducting comprehensive security audits of code to identify vulnerabilities. This skill should be used when reviewing authentication, input validation, cryptography, or API security.
Security Audit Skill
This skill provides elite security expertise for identifying and eliminating vulnerabilities before malicious actors can exploit them.
When to Use This Skill
Invoke this skill when:
- Reviewing authentication and authorization mechanisms
- Auditing code for injection vulnerabilities (SQL, NoSQL, command, XSS)
- Validating input sanitization and data protection measures
- Assessing cryptographic implementations and key management
- Analyzing API security, rate limiting, and authorization controls
- Conducting security reviews of new features or code changes
- Auditing payment processing, file uploads, or sensitive data handling
- Investigating potential security vulnerabilities reported by users or tools
Core Security Expertise
1. Authentication & Authorization Vulnerabilities
To identify authentication and authorization issues, examine:
- Password policies and storage mechanisms (bcrypt, argon2 vs plaintext)
- Session management and token expiration
- Authorization checks at every protected resource
- JWT token implementation (secret strength, expiration, algorithm)
- OAuth/SAML flows for common implementation errors
- Multi-factor authentication bypass opportunities
Key Rules:
- Never trust client-side authorization checks alone
- Every protected endpoint must verify both authentication AND authorization
- Session tokens should have appropriate timeouts and secure flags
2. Injection Attacks
To detect injection vulnerabilities, trace user input through:
- Database queries (SQL injection, NoSQL operator injection)
- System commands (command injection, path traversal)
- Template engines (template injection, SSTI)
- XML parsers (XXE injection)
- LDAP queries (LDAP injection)
Key Rules:
- User input must be validated, sanitized, and parameterized
- Never concatenate user input directly into queries or commands
- Use ORM/query builders with parameterization, not string concatenation
3. Input Validation & Sanitization
To validate input handling, check for:
- Whitelist-based validation on all user inputs
- Proper encoding for output contexts (HTML, JavaScript, URL, SQL)
- File upload restrictions (type, size, content validation)
- Mass assignment protection on data models
- Type validation to prevent coercion attacks
Key Rules:
- Validate on the server side, never trust client-side validation alone
- Use context-appropriate encoding when outputting user data
- Implement file upload validation beyond just file extension checks
4. Data Protection & Cryptography
To assess data protection, evaluate:
- Sensitive data identification and classification (PII, credentials, tokens)
- Encryption at rest (database fields, file storage)
- Encryption in transit (HTTPS enforcement, certificate validation)
- Cryptographic algorithm strength (avoid MD5, SHA1, DES, ECB mode)
- Key management and rotation procedures
- Timing attack vulnerabilities in comparison operations
Key Rules:
- Never store passwords in plaintext or with reversible encryption
- Use industry-standard libraries (not custom cryptography)
- Enforce HTTPS for all sensitive data transmission
5. API Security
To audit API security, review:
- Rate limiting implementation on all endpoints
- Object-level authorization (IDOR prevention)
- Excessive data exposure in API responses
- Security headers (CORS, CSP, HSTS, X-Frame-Options)
- API key rotation and secure storage
- Mass assignment vulnerabilities in request handlers
Key Rules:
- Implement rate limiting based on business requirements
- Return only the data the user is authorized to see
- Use security headers to enforce browser-side protections
6. Business Logic Vulnerabilities
To find business logic flaws, analyze:
- Race conditions in critical operations (TOCTOU issues)
- Price manipulation opportunities
- Privilege escalation paths through workflow abuse
- State transition validation
- Anti-automation controls (CAPTCHA, rate limiting)
Key Rules:
- Critical operations should be atomic and idempotent
- Validate state transitions, not just individual states
- Implement transaction-level integrity checks
Audit Methodology
When reviewing code, follow this systematic approach:
- Threat Modeling: Identify attack surfaces and potential threat actors
- Code Flow Analysis: Trace data flow from user input to sensitive operations
- Vulnerability Scanning: Systematically check for known vulnerability patterns
- Attack Simulation: Think like an attacker - how would this be exploited?
- Defense Verification: Validate that security controls are properly implemented
- Compliance Check: Ensure adherence to standards (OWASP Top 10, PCI-DSS, GDPR)
Report Output Format
IMPORTANT: The section below defines the COMPLETE report structure that MUST be used. Do NOT create your own format or simplified version.
Location and Naming
- Directory:
/docs/security/ - Filename:
YYYY-MM-DD-HHMMSS-security-audit.md - Example:
2025-10-29-143022-security-audit.md
Report Template
🚨 CRITICAL INSTRUCTION - READ CAREFULLY 🚨
You MUST use this exact template structure for ALL security audit reports. This is MANDATORY and NON-NEGOTIABLE.
REQUIREMENTS:
- ✅ Use the COMPLETE template structure below - ALL sections are REQUIRED
- ✅ Follow the EXACT heading hierarchy (##, ###, ####)
- ✅ Include ALL section headings as written in the template
- ✅ Use the finding numbering format: C-001, H-001, M-001, L-001, etc.
- ✅ Include the tables, code examples, and checklists as shown
- ❌ DO NOT create your own format or structure
- ❌ DO NOT skip or combine sections
- ❌ DO NOT create abbreviated or simplified versions
- ❌ DO NOT number issues as "1, 2, 3" - use C-001, H-001, M-001 format
If you do not follow this template exactly, the report will be rejected.
Audit Overview
- Target System: [Application Name/System]
- Analysis Date: [Date Range]
- Analysis Scope: [Web Application/API/Full Codebase]
- Technology Stack: [e.g., .NET 8, Umbraco CMS, Azure AD B2C, SQL Server, Elasticsearch]
Risk Assessment Summary
| Risk Level | Count | Percentage |
|---|---|---|
| Critical | X | X% |
| High | X | X% |
| Medium | X | X% |
| Low | X | X% |
| Total | X | 100% |
Key Findings
- Critical Issues: X findings requiring immediate attention
- OWASP Top 10 Compliance: X/10 categories compliant
- Overall Security Score: X/100 (based on vulnerability severity and coverage)
Analysis Methodology
Security Analysis Approach
- Code Pattern Analysis: Comprehensive source code review for security anti-patterns
- Dependency Vulnerability Assessment: Analysis of package dependencies and known CVEs
- Configuration Security Review: Examination of configuration files and settings
- Architecture Security Analysis: Review of authentication, authorization, and data flow patterns
Analysis Coverage
- Files Analyzed: X source files across Y projects
- Dependencies Reviewed: X packages and libraries
- Configuration Files: X config files examined
- Security Patterns Checked: OWASP Top 10, common vulnerability patterns
Analysis Capabilities
- Pattern Detection: SQL injection, XSS, authentication bypasses, insecure configurations
- Dependency Analysis: Outdated packages, known vulnerabilities, licensing issues
- Code Flow Analysis: Authentication flows, authorization checks, data handling
- Configuration Assessment: Security headers, secrets management, encryption settings
Security Findings
Critical Risk Findings
C-001: SQL Injection Vulnerability
Location: src/Website.Data/Services/UserService.cs:45
Risk Score: 9.8 (Critical)
Pattern Detected: Direct string concatenation in SQL query construction
Code Context:
var query = $"SELECT * FROM Users WHERE id = {userId}";
Impact: Complete database compromise, data exfiltration, system takeover Recommendation: Replace with parameterized queries using Entity Framework or SqlParameter Fix Priority: Immediate (within 24 hours)
C-002: Authentication Bypass
Location: src/Website.Security/Middleware/AuthMiddleware.cs:67
Risk Score: 9.1 (Critical)
Pattern Detected: JWT token validation can be bypassed with null/empty checks
Code Context: Missing signature verification in token validation logic
Impact: Unauthorized access to protected resources
Recommendation: Implement proper JWT signature validation and expiration checks
Fix Priority: Immediate (within 48 hours)
High Risk Findings
H-001: Hardcoded Secrets
Location: Multiple configuration files and source files Risk Score: 7.5 (High) Pattern Detected: API keys, connection strings, and secrets in source code Affected Files:
src/Website.Web/appsettings.jsonsrc/Website.Core/Services/ExternalApiService.cs:23Impact: Credential compromise, unauthorized system access Recommendation: Move all secrets to secure configuration (Azure Key Vault, environment variables) Fix Priority: Within 1 week
H-002: Insufficient Access Controls
Location: src/Website.Core/Controllers/AdminController.cs
Risk Score: 7.2 (High)
Pattern Detected: Administrative endpoints lack proper role-based authorization
Code Context: Missing [Authorize(Roles = "Admin")] attributes on sensitive operations
Impact: Privilege escalation, unauthorized administrative access
Recommendation: Implement granular role-based access control with proper attribute decorations
Fix Priority: Within 2 weeks
Medium Risk Findings
M-001: Cross-Site Scripting (XSS)
Location: Multiple view templates and API responses Risk Score: 6.1 (Medium) Pattern Detected: Unencoded user input rendered in HTML responses Affected Areas: User profile pages, search results, comment sections Impact: Session hijacking, credential theft, phishing attacks Recommendation: Implement automatic HTML encoding and Content Security Policy headers Fix Priority: Within 1 month
M-002: Insecure Direct Object References
Location: src/Website.Core/Controllers/DocumentController.cs:89
Risk Score: 5.4 (Medium)
Pattern Detected: Document access by ID without ownership validation
Code Context: Direct parameter usage without authorization checks
Impact: Unauthorized access to sensitive documents
Recommendation: Implement object-level authorization checks before resource access
Fix Priority: Within 1 month
Low Risk Findings
L-001: Missing Security Headers
Location: Web server configuration Risk Score: 3.7 (Low) Pattern Detected: Security headers not configured in middleware pipeline Missing Headers: HSTS, X-Frame-Options, X-Content-Type-Options, CSP Impact: Reduced defense against clickjacking and MITM attacks Recommendation: Configure comprehensive security headers in startup configuration Fix Priority: Within 2 months
Architecture Security Assessment
Authentication & Authorization Analysis
- Azure AD B2C Integration: ✅ Properly configured with secure redirect URIs
- Session Management: ⚠️ Security stamp validation implementation needs improvement
- Role-Based Access Control: ❌ Insufficient granularity, missing authorization checks
- API Authentication: ❌ Bearer token validation inconsistent across controllers
Data Protection Analysis
- Sensitive Data Handling: ❌ Personal data logged in plain text, insufficient encryption
- Input Validation: ⚠️ Some endpoints lack comprehensive validation
- Output Encoding: ❌ XSS vulnerabilities in multiple view templates
- Error Handling: ⚠️ Some error messages expose internal system information
Dependency Security Analysis
- Package Vulnerabilities: ⚠️ 3 high-severity CVEs detected in NuGet packages
- Outdated Dependencies: ❌ 12 packages with available security updates
- License Compliance: ✅ All dependencies use compatible licenses
- Supply Chain Security: ⚠️ Some packages from unofficial sources
OWASP Top 10 2021 Compliance Analysis
| Risk Category | Compliance Status | Assessment |
|---|---|---|
| A01 - Broken Access Control | ❌ Non-Compliant | 5 instances of missing authorization checks |
| A02 - Cryptographic Failures | ⚠️ Partial | Some data encrypted, but secrets management insufficient |
| A03 - Injection | ❌ Non-Compliant | SQL injection vulnerabilities detected |
| A04 - Insecure Design | ✅ Compliant | Good separation of concerns and architecture |
| A05 - Security Misconfiguration | ❌ Non-Compliant | Missing security headers and default configurations |
| A06 - Vulnerable Components | ⚠️ Partial | Some outdated dependencies with known CVEs |
| A07 - Identity & Auth Failures | ❌ Non-Compliant | Authentication bypass and weak session management |
| A08 - Data Integrity Failures | ⚠️ Partial | Some validation present but inconsistent |
| A09 - Security Logging Failures | ⚠️ Partial | Basic logging but insufficient security event coverage |
| A10 - Server-Side Request Forgery | ✅ Compliant | No SSRF patterns detected |
Overall OWASP Compliance: 40% (4/10 categories fully compliant)
Technical Recommendations
Immediate Code Fixes
- Replace all string concatenation in SQL queries with parameterized queries
- Remove hardcoded secrets from source code and configuration files
- Add missing authorization attributes to administrative endpoints
- Fix JWT token validation to include proper signature verification
Security Enhancements
- Implement comprehensive input validation using data annotations and custom validators
- Add automatic HTML encoding for all user-generated content
- Configure security headers middleware in the application pipeline
- Update vulnerable dependencies to latest secure versions
Architecture Improvements
- Implement centralized secrets management using Azure Key Vault
- Add comprehensive security logging for authentication and authorization events
- Implement rate limiting for API endpoints
- Add automated security testing to the CI/CD pipeline
Code Remediation Examples
SQL Injection Fix
Before (Vulnerable):
var query = $"SELECT * FROM Users WHERE id = {userId}";
var user = context.Database.SqlQuery<User>(query).FirstOrDefault();
After (Secure):
var user = context.Users.FirstOrDefault(u => u.Id == userId);
// OR using parameterized query if raw SQL needed
var query = "SELECT * FROM Users WHERE id = @userId";
var user = context.Database.SqlQuery<User>(query, new SqlParameter("@userId", userId)).FirstOrDefault();
Authorization Fix
Before (Vulnerable):
[HttpDelete]
public IActionResult DeleteUser(int id)
{
// No authorization check
userService.Delete(id);
return Ok();
}
After (Secure):
[HttpDelete]
[Authorize(Roles = "Admin")]
public IActionResult DeleteUser(int id)
{
userService.Delete(id);
return Ok();
}
Risk Mitigation Priorities
Phase 1: Critical Vulnerability Remediation
- Fix SQL injection in
UserService.cs:45 - Patch authentication bypass in
AuthMiddleware.cs:67 - Remove hardcoded API keys from configuration files
- Add missing authorization checks to admin endpoints
Phase 2: High Risk Resolution
- Implement proper secrets management
- Fix XSS vulnerabilities in view templates
- Update vulnerable NuGet packages
- Add comprehensive input validation
Phase 3: Medium Risk and Configuration
- Configure security headers middleware
- Implement object-level authorization
- Add security event logging
- Fix insecure direct object references
Phase 4: Security Hardening
- Implement rate limiting
- Add automated security testing
- Complete OWASP compliance review
- Document security procedures
Summary
This security analysis identified X critical, Y high, Z medium, and W low risk vulnerabilities across the codebase. The analysis focused on code patterns, dependency vulnerabilities, and configuration security without requiring manual penetration testing or third-party tools.
Key Strengths Identified:
- Good architectural separation of concerns
- Proper use of modern authentication framework (Azure AD B2C)
- No SSRF vulnerabilities detected
Critical Areas Requiring Immediate Attention:
- SQL injection vulnerabilities requiring immediate patching
- Authentication bypass issues
- Hardcoded secrets in source code
- Missing authorization controls
Severity Assessment Framework
When determining severity, apply these criteria:
- CRITICAL: Can an unauthenticated attacker access sensitive data or compromise the system?
- HIGH: Can an authenticated user escalate privileges or access other users' data?
- MEDIUM: Does exploitation require specific conditions or insider knowledge?
- LOW: Is this a defense-in-depth improvement or minor information disclosure?
Examples
Example 1: SQL Injection
Bad approach:
const query = `SELECT * FROM users WHERE email = '${userEmail}'`;
db.query(query);
Good approach:
const query = 'SELECT * FROM users WHERE email = ?';
db.query(query, [userEmail]);
Example 2: Password Storage
Bad approach:
user.password = md5(password);
Good approach:
user.password = await bcrypt.hash(password, 12);
Example 3: Authorization Check
Bad approach:
// Only checking authentication, not authorization
if (req.user) {
return db.getOrder(req.params.orderId);
}
Good approach:
// Check both authentication and authorization
if (req.user) {
const order = await db.getOrder(req.params.orderId);
if (order.userId !== req.user.id) {
throw new ForbiddenError();
}
return order;
}
Best Practices
-
Assume Breach Mentality: Design systems assuming attackers will gain some level of access. Implement defense-in-depth with multiple layers of security.
-
Validate Context: Consider the specific project architecture, technology stack, and business requirements when assessing vulnerabilities. A vulnerability's severity depends on context.
-
Provide Actionable Fixes: Every finding should include specific, implementable remediation steps with code examples where possible.
-
Balance Security and Usability: Recommend security measures that don't break functionality. Verify proposed fixes work with the existing architecture.
-
Think Like an Attacker: For each vulnerability, demonstrate concrete exploit scenarios to illustrate the real-world impact.
-
Acknowledge Good Security: Recognize properly implemented security controls to reinforce positive patterns and build trust.
Quality Assurance Checklist
Before finalizing a security audit, verify:
- ✓ Have all user input points been identified and traced?
- ✓ Have sensitive data flows been traced end-to-end?
- ✓ Have both authenticated and unauthenticated attack vectors been considered?
- ✓ Are remediation recommendations specific and actionable?
- ✓ Have recommendations been validated to ensure they don't break functionality?
- ✓ Has business context and risk tolerance been factored into severity assessments?
Context-Aware Analysis
When project-specific context is available in CLAUDE.md files, incorporate:
- Project Architecture: Understand security boundaries and trust zones
- Technology Stack: Identify framework-specific vulnerabilities and security features
- Business Logic: Recognize domain-specific security requirements
- Compliance Requirements: Note regulatory constraints (PCI-DSS, HIPAA, GDPR)
- Existing Security Measures: Build upon established security patterns
Communication Guidelines
When reporting findings:
- Be direct and precise about security risks
- Use technical terminology accurately
- Provide concrete exploit scenarios to demonstrate impact
- Include code snippets showing both vulnerable and secure implementations
- Balance thoroughness with clarity - reports should be actionable
- Acknowledge properly implemented security controls
- Escalate critical findings immediately with clear urgency
Remember: The goal is not to criticize but to protect. Every vulnerability found and fixed is a potential breach prevented. Be thorough, be precise, and always think like an attacker while defending like a guardian.
Repository
