auditing-security by CaptainCrouton89
Identify and remediate vulnerabilities through systematic code analysis. Use when performing security assessments, pre-deployment reviews, compliance validation (OWASP, PCI-DSS, GDPR), investigating known vulnerabilities, or post-incident analysis.
Content & Writing
497 Stars
69 Forks
Updated Dec 14, 2025, 11:11 PM
Why Use This
This skill provides specialized capabilities for CaptainCrouton89's codebase.
Use Cases
- Developing new features in the CaptainCrouton89 repository
- Refactoring existing code to follow CaptainCrouton89 standards
- Understanding and working with CaptainCrouton89's codebase structure
Install Guide
2 steps- 1
Skip this step if Ananke is already installed.
- 2
Skill Snapshot
Auto scan of skill assets. Informational only.
Valid SKILL.md
Checks against SKILL.md specification
Source & Community
Skill Stats
SKILL.md 297 Lines
Total Files 1
Total Size 9.2 KB
License NOASSERTION
---
name: Auditing Security
description: Identify and remediate vulnerabilities through systematic code analysis. Use when performing security assessments, pre-deployment reviews, compliance validation (OWASP, PCI-DSS, GDPR), investigating known vulnerabilities, or post-incident analysis.
---
# Auditing Security
## Overview
Comprehensive security analysis to identify vulnerabilities, assess risk, and provide remediation guidance aligned with industry standards (OWASP Top 10, CVSS scoring).
**Inputs:**
- Codebase to audit
- `docs/system-design.md` - Architecture context
- `docs/api-contracts.yaml` - API specifications
- `docs/feature-spec/F-##-*.md` - Feature implementations
**Outputs:**
- Security findings organized by severity (CRITICAL, HIGH, MEDIUM, LOW)
- CVSS scores and OWASP Top 10 mapping
- Exploit scenarios and remediation code
- Risk-prioritized remediation plan
## Quick Start
Ask for security audit with context:
- **What to audit?** Feature, component, or full application
- **Concerns?** Injection, auth bypass, data leaks, access control, API security
- **Sensitive data?** PII, credentials, financial data, health info, business secrets
- **Existing security?** JWT/sessions, RBAC/ABAC, TLS, input validation, headers, rate limiting
## Scope Discovery
**Q1: Audit Scope**
- Specific feature or component
- Entire application (full security audit)
- Known vulnerability investigation
- Compliance check (OWASP Top 10, PCI-DSS, GDPR)
- Code review for security issues
- Infrastructure and configuration
**Q2: Threat Model**
- Data breaches and leaks
- Authentication bypass
- Injection attacks (SQL, XSS, command)
- Access control failures
- API security
- Infrastructure vulnerabilities
- Dependency vulnerabilities
**Q3: Sensitivity Level**
- Personal identifiable information (PII)
- Authentication credentials
- Financial data (payment info, transactions)
- Health information (HIPAA)
- Business secrets or proprietary data
- User-generated content
**Q4: Existing Security** (optional)
- Authentication method (JWT, sessions, OAuth)
- Authorization model (RBAC, ABAC)
- Encryption (TLS, at-rest encryption)
- Input validation and sanitization
- Security headers (CSP, HSTS, etc.)
- Rate limiting and throttling
- Logging and monitoring
## Security Review Strategy
### Sequential Review (Targeted audits)
**When to use:** Small codebase, single vulnerability investigation, specific attack vector, <5 files
Review vulnerabilities one area at a time using direct tools:
**Injection Vulnerabilities:**
- SQL injection: String concatenation in queries (`db.query("SELECT * FROM users WHERE id = '" + id + "'")`)
- XSS: `dangerouslySetInnerHTML`, unsanitized HTML (`.innerHTML = userInput`)
- Command injection: Shell command construction (`exec('rm ' + filename)`)
- NoSQL injection, LDAP injection
- Search for: `db.query(`, `eval(`, `exec(`, `.innerHTML`
**Authentication/Authorization:**
- Endpoints without auth checks
- Weak password requirements
- Missing rate limiting on auth endpoints
- Session management issues
- Broken access control, privilege escalation
- Search for: route handlers, auth middleware, permission checks
**Sensitive Data Exposure:**
- Hardcoded secrets: API keys, passwords, tokens
- Excessive data in API responses
- Logging sensitive information
- Unencrypted transmission
- Insecure storage
- Search for: `apiKey`, `password`, `secret`, `token` assignments
**Security Misconfiguration:**
- Missing security headers (CSP, HSTS, X-Frame-Options)
- CORS misconfiguration
- Verbose error messages exposing internals
- Default credentials
- Debug mode in production
- Search for: server config, error handlers, CORS setup
**Dependency Vulnerabilities:**
- Run `npm audit` or equivalent
- Check for outdated packages with CVEs
- Unnecessary dependencies, supply chain risks
### Parallel Scanning (Comprehensive audits)
**When to use:** Entire application, multiple OWASP categories, >1000 lines, multiple attack surfaces
**Agent 1: Injection (OWASP A03)**
SQL, XSS, command, NoSQL, LDAP injection vulnerabilities
**Agent 2: Authentication/Authorization (OWASP A01, A07)**
Missing auth, weak passwords, broken sessions, access control failures, privilege escalation
**Agent 3: Data Exposure (OWASP A02)**
Hardcoded secrets, excessive API responses, logging sensitive data, unencrypted transmission, insecure storage
**Agent 4: Configuration (OWASP A05)**
Missing security headers, CORS misconfiguration, verbose errors, default credentials, unnecessary services
**Agent 5: Dependencies (OWASP A06)**
Vulnerable packages, outdated versions, supply chain risks
## Finding Documentation Format
**For each vulnerability:**
```markdown
### [SEVERITY] Issue Name
**CVSS Score:** X.X | **Category:** OWASP A##:YEAR | **Location:** `src/path/file.js:123`
**Vulnerable Code:**
[Code snippet]
**Exploit Scenario:**
[Concrete example of how to abuse this]
**Impact:**
[What attacker can achieve: data access, auth bypass, system compromise, etc.]
**Fix:**
[Secure replacement code]
**References:**
- OWASP: [link]
- CWE-##: [link]
```
**Severity Mapping:**
- 🔴 CRITICAL (CVSS 9.0-10.0): Fix immediately, authentication bypass, full database access, RCE
- 🔴 HIGH (CVSS 7.0-8.9): Fix within days, data exfiltration, significant privilege escalation
- 🟡 MEDIUM (CVSS 4.0-6.9): Fix within weeks, partial data access, limited auth bypass
- 🟢 LOW (CVSS 0.1-3.9): Fix within months, information disclosure, minor config issues
## Security Audit Report
Generate comprehensive report with:
```markdown
# Security Audit Report: [System Name]
## Executive Summary
**Overall Security Posture:** [CRITICAL / POOR / FAIR / GOOD / EXCELLENT]
**Vulnerability Summary:**
- CRITICAL: [X] (CVSS 9.0-10.0)
- HIGH: [Y] (CVSS 7.0-8.9)
- MEDIUM: [Z] (CVSS 4.0-6.9)
- LOW: [N] (CVSS 0.1-3.9)
**Immediate Actions Required:**
1. [Most critical issue]
2. [Second priority]
## OWASP Top 10 Assessment
| Category | Status | Findings | Priority |
|----------|--------|----------|----------|
| A01: Broken Access Control | ✅/⚠️/❌ | [count] | - |
| A02: Cryptographic Failures | ✅/⚠️/❌ | [count] | - |
| A03: Injection | ✅/⚠️/❌ | [count] | - |
| [Continue for all 10] | | | |
## Findings by Severity
[CRITICAL vulnerabilities]
[HIGH vulnerabilities]
[MEDIUM vulnerabilities]
[LOW vulnerabilities]
## Remediation Plan
### Immediate (24 hours)
[Critical and high-severity fixes]
### Short-term (1 week)
[Medium-severity fixes]
### Medium-term (1 month)
[Low-severity fixes, hardening]
## Verification Checklist
- [ ] Re-run security scans on fixed code
- [ ] Verify each vulnerability is closed
- [ ] Run `npm audit` on dependencies
- [ ] Test fixes don't break functionality
- [ ] Add security regression tests
```
## Security Check Reference
**Injection:**
- SQL queries use parameterization (prepared statements, ORM)
- HTML output is sanitized (DOMPurify, escaped)
- No dynamic command execution (`exec`, `spawn` with user input)
- No `eval()` or similar code execution
**Authentication:**
- Password requirements adequate (12+ chars, complexity)
- All sensitive endpoints have auth checks
- Session management secure (httpOnly, secure cookies)
- Rate limiting on auth endpoints (5 attempts/min max)
- Credentials hashed with bcrypt/argon2, not plaintext
**Data Exposure:**
- No hardcoded secrets (use environment variables)
- API responses don't leak unnecessary data
- Sensitive data not in logs
- HTTPS/TLS enforced everywhere
- Sensitive data encrypted at rest (AES-256)
**Configuration:**
- Security headers present (CSP, HSTS, X-Frame-Options, X-Content-Type-Options)
- CORS properly configured (not `*`, validate origins)
- Error messages don't expose internals
- No default credentials
- Debug mode disabled in production
**Dependencies:**
- No known vulnerabilities (run `npm audit`)
- Packages up to date
- No unnecessary dependencies
## Remediation Workflow
1. **Fix each vulnerability** following documented code examples
2. **Verify immediately** - re-run security scans, test functionality
3. **Document resolution** - mark findings as fixed with verification method
4. **Run dependency audit** - `npm audit`, update packages
5. **Test regression** - ensure fixes don't break features
6. **Update docs** - document security measures implemented
## Examples
**Example 1: SQL Injection Finding**
```markdown
### [CRITICAL] SQL Injection in User Login
**CVSS Score:** 9.8 | **Category:** OWASP A03:2021 | **Location:** `src/auth/login.js:45`
**Vulnerable Code:**
const query = `SELECT * FROM users WHERE email = '${email}'`;
const user = await db.query(query);
**Exploit Scenario:**
Attacker sends: email = "admin' OR '1'='1"
→ Returns all users, bypasses authentication, gains admin access
**Impact:**
- Complete authentication bypass
- Full database access
- Data exfiltration and manipulation
**Fix:**
const query = 'SELECT * FROM users WHERE email = ?';
const user = await db.query(query, [email]);
```
**Example 2: Hardcoded Secrets Finding**
```markdown
### [CRITICAL] Hardcoded API Key
**CVSS Score:** 9.6 | **Category:** OWASP A02:2021 | **Location:** `src/config.js:12`
**Vulnerable Code:**
const apiKey = "sk-1234567890abcdef";
**Impact:**
- Unauthorized API access
- Billing liability
- Data access under victim's account
**Fix:**
const apiKey = process.env.API_KEY;
// Store in .env: API_KEY=sk-1234567890abcdef
```
Name Size