DevOps & Security
OWASP Top 10 Scanner
Scans code for OWASP Top 10 vulnerability patterns including injection, XSS, IDOR, and insecure deserialization with severity ratings and remediation snippets. Useful for pre-commit security checks and enterprise compliance. Backend and full-stack engineers shipping user-facing or API-facing code, security-conscious teams running AI-assisted development without a dedicated AppSec program, and indie builders preparing for SOC 2 or enterprise customer security reviews. OWASP Top 10 categories — injection flaws, broken access control, security misconfiguration, XSS, insecure deserialization, and friends — remain the most common real-world vulnerability classes, and AI-generated code is not immune. Without an integrated scanner that runs inside the coding session, findings surface late (in manual review or production) rather than before code lands.
One-Time Purchase
$19.99
OWASP Top 10 Scan — src/api/users.ts
Lines scanned: 347 · Findings: 12 · Categories hit: A01, A02, A03, A05, A07, A09
Verdict
Two criticals block merge. Raw SQL string interpolation on email (line 84) is directly exploitable with no prerequisites; an IDOR on GET /users/:userId (line 142) lets any authenticated user read any other user's record. Plaintext password comparison (line 68) and MD5 hashing (line 259) make the foundation of authentication unsafe. Fix the SQL injection, IDOR, and password storage before anything else in this file ships.
Findings by severity
Findings Table
| # | OWASP | Line | Issue | Severity | Confidence |
|---|---|---|---|---|---|
| 1 | A03 Injection | 84 | Raw SQL with ${req.body.email} | Critical | High |
| 2 | A01 Broken Access Control | 142 | IDOR on GET /users/:userId | Critical | High |
| 3 | A07 Auth Failures | 211 | JWT signed with no expiresIn | High | High |
| 4 | A03 Injection | 178 | ORDER BY ${req.query.sortBy} | High | High |
| 5 | A05 Misconfiguration | 23 | cors({ origin: '*' }) on auth API | High | High |
| 6 | A02 Crypto Failures | 259 | MD5 used for password hashing | High | High |
| 7 | A03 Injection (XSS) | 302 | Reflected req.query.name in HTML | Medium | Medium |
| 8 | A09 Logging Failures | 127 | Raw err.message returned to client | Medium | Medium |
| 9 | A01 Broken Access Control | 195 | Mass assignment on user.role | Medium | Medium |
| 10 | A07 Auth Failures | 68 | Plaintext password !== compare | Medium | High |
| 11 | A05 Misconfiguration | 14 | express.json({ limit: '50mb' }) | Low | Low |
| 12 | A09 Logging Failures | 75 | console.log of login attempts | Low | Low |
Exploit Walkthrough — Finding 1 Critical
// Line 83–86 — vulnerable
const query = `SELECT * FROM users WHERE email = '${req.body.email}'`;
const result = await db.raw(query);
A POST to /login with a body of {"email": "x' OR '1'='1' --"} produces the query:
SELECT * FROM users WHERE email = 'x' OR '1'='1' --'
That returns every row in users. Combined with the plaintext-compare at line 68 (Finding 10), the first row is silently authenticated. The attacker is logged in as whichever user the database returns first — typically the oldest admin.
Fix. Parameterize:
const result = await db('users').where({ email: req.body.email }).select('*');
// Or with raw + binding:
const result = await db.raw('SELECT * FROM users WHERE email = ?', [req.body.email]);
Critical / High Detail
Finding 2 — IDOR Critical
// Line 140–145 — vulnerable
const targetUser = await User.findById(req.params.userId);
return res.json(targetUser);
No ownership or role check. Any authenticated user can read any other user's record. Add the check before the lookup:
if (req.user.id !== req.params.userId && req.user.role !== 'admin') {
return res.status(403).json({ error: 'Forbidden' });
}
Finding 3 — JWT without expiry High
jwt.sign(..., { algorithm: 'HS256' }) with no expiresIn issues an indefinitely valid token. Combined with no revocation table in this file, stolen tokens never expire. Set expiresIn: '15m' and pair with a short-lived refresh token.
Finding 4 — ORDER BY injection High
Parameterized queries cannot bind column names — allowlist instead:
const ALLOWED = ['name', 'email', 'created_at'] as const;
const sortBy = ALLOWED.includes(req.query.sortBy as any) ? req.query.sortBy : 'created_at';
const users = await db('users').orderBy(sortBy as string);
Finding 5 — CORS wildcard High
Replace cors({ origin: '*' }) with an explicit allowlist read from ALLOWED_ORIGINS. Required when credentials: true (which authenticated APIs need).
Finding 6 — MD5 password hashing High
MD5 is reversible via rainbow tables and crackable at billions of guesses per second on commodity GPUs. Switch to bcrypt.hash(password, 12) and force a password reset for anyone whose hash was stored under MD5.
Mitigation Priority
Fix in this order
PR Reviewer Checklist
- No string-interpolated SQL anywhere in the diff
- Every endpoint accepting a resource ID checks ownership or role first
- JWT signing sets
expiresInand pairs with a refresh-token flow - Passwords hashed with
bcrypt(factor 12+) orargon2; constant-time compare via the library - CORS uses an explicit origin allowlist on authenticated routes
- 5xx responses return generic messages; details go to structured logger only
- Body fields explicitly destructured before
Object.assign— no mass assignment - Auth events emit to structured logger with IP, timestamp, user ID
Scan based on static pattern analysis of src/api/users.ts (347 lines) only. Middleware, ORM configuration, and environment files were not scanned and may contain mitigating controls or additional issues not reflected here.
This sample illustrates the skill's output format. Names, metrics, and operational details are illustrative unless the artifact explicitly analyzes public information.
View full sample →
All sales final. No refunds on digital products.
Includes support for Claude Code, Codex, OpenClaw, and Google Antigravity in the same license.
Also in Security Scanning
Bundle price: $55. Compare this skill with the full workflow bundle or Pro access.
Best for
Backend and full-stack engineers shipping user-facing or API-facing code without a dedicated AppSec reviewer in the loop, indie builders preparing for SOC 2 or enterprise customer security questionnaires, and AI-assisted development sessions where the generated code needs a security pass before it lands. Most useful inside the coding session itself — pre-commit or in PR review — so findings surface while context is fresh and the fix is still cheap.
Not ideal for
Replacing a real application security program at a regulated enterprise (PCI, HIPAA, FedRAMP) where signed-off pen tests and SAST tooling with audit trails are required for compliance. Also a poor fit as a substitute for runtime defenses (WAF, RASP, SCA on dependencies) — this catches code-level OWASP patterns, not infrastructure misconfiguration or vulnerable third-party packages.
Included in this purchase
- Claude Code, Codex, OpenClaw, and Google Antigravity skill files.
- Setup guidance for the right adapter in your workspace.
- One-time license for the purchased skill version.
Setup
Plan for a short setup in the repository or workspace where the skill will run. Some coding familiarity helps for implementation-heavy outputs.
Related Skills
$19.99
One-time license
$19.99
One-time license
$19.99
One-time license
Future Updates
This purchase includes the current version of the skill. If you want future adapter updates — meaning compatibility and packaging updates as supported platforms evolve — plus new catalog additions included automatically, upgrade to Pro.