Security Audit Skill

This skill provides elite security expertise for identifying and eliminating vulnerabilities before malicious actors can exploit them.

When to Use This Skill

Invoke this skill when:

• Reviewing authentication and authorization mechanisms

• Auditing code for injection vulnerabilities (SQL, NoSQL, command, XSS)

• Validating input sanitization and data protection measures

• Assessing cryptographic implementations and key management

• Analyzing API security, rate limiting, and authorization controls

• Conducting security reviews of new features or code changes

• Auditing payment processing, file uploads, or sensitive data handling

• Investigating potential security vulnerabilities reported by users or tools

Core Security Expertise

1. Authentication & Authorization Vulnerabilities

To identify authentication and authorization issues, examine:

• Password policies and storage mechanisms (bcrypt, argon2 vs plaintext)

• Session management and token expiration

• Authorization checks at every protected resource

• JWT token implementation (secret strength, expiration, algorithm)

• OAuth/SAML flows for common implementation errors

• Multi-factor authentication bypass opportunities

Key Rules:

• Never trust client-side authorization checks alone

• Every protected endpoint must verify both authentication AND authorization

• Session tokens should have appropriate timeouts and secure flags

2. Injection Attacks

To detect injection vulnerabilities, trace user input through:

• Database queries (SQL injection, NoSQL operator injection)

• System commands (command injection, path traversal)

• Template engines (template injection, SSTI)

• XML parsers (XXE injection)

• LDAP queries (LDAP injection)

Key Rules:

• User input must be validated, sanitized, and parameterized

• Never concatenate user input directly into queries or commands

• Use ORM/query builders with parameterization, not string concatenation

3. Input Validation & Sanitization

To validate input handling, check for:

• Whitelist-based validation on all user inputs

• Proper encoding for output contexts (HTML, JavaScript, URL, SQL)

• File upload restrictions (type, size, content validation)

• Mass assignment protection on data models

• Type validation to prevent coercion attacks

Key Rules:

• Validate on the server side, never trust client-side validation alone

• Use context-appropriate encoding when outputting user data

• Implement file upload validation beyond just file extension checks

4. Data Protection & Cryptography

To assess data protection, evaluate:

• Sensitive data identification and classification (PII, credentials, tokens)

• Encryption at rest (database fields, file storage)

• Encryption in transit (HTTPS enforcement, certificate validation)

• Cryptographic algorithm strength (avoid MD5, SHA1, DES, ECB mode)

• Key management and rotation procedures

• Timing attack vulnerabilities in comparison operations

Key Rules:

• Never store passwords in plaintext or with reversible encryption

• Use industry-standard libraries (not custom cryptography)

• Enforce HTTPS for all sensitive data transmission

5. API Security

To audit API security, review:

• Rate limiting implementation on all endpoints

• Object-level authorization (IDOR prevention)

• Excessive data exposure in API responses

• Security headers (CORS, CSP, HSTS, X-Frame-Options)

• API key rotation and secure storage

• Mass assignment vulnerabilities in request handlers

Key Rules:

• Implement rate limiting based on business requirements

• Return only the data the user is authorized to see

• Use security headers to enforce browser-side protections

6. Business Logic Vulnerabilities

To find business logic flaws, analyze:

• Race conditions in critical operations (TOCTOU issues)

• Price manipulation opportunities

• Privilege escalation paths through workflow abuse

• State transition validation

• Anti-automation controls (CAPTCHA, rate limiting)

Key Rules:

• Critical operations should be atomic and idempotent

• Validate state transitions, not just individual states

• Implement transaction-level integrity checks

Audit Methodology

When reviewing code, follow this systematic approach:

• Threat Modeling: Identify attack surfaces and potential threat actors

• Code Flow Analysis: Trace data flow from user input to sensitive operations

• Vulnerability Scanning: Systematically check for known vulnerability patterns

• Attack Simulation: Think like an attacker - how would this be exploited?

• Defense Verification: Validate that security controls are properly implemented

• Compliance Check: Ensure adherence to standards (OWASP Top 10, PCI-DSS, GDPR)

Report Output Format

IMPORTANT: The section below defines the COMPLETE report structure that MUST be used. Do NOT create your own format or simplified version.

Location and Naming

• Directory: /docs/security/

• Filename: YYYY-MM-DD-HHMMSS-security-audit.md

• Example: 2025-10-29-143022-security-audit.md

Report Template

🚨 CRITICAL INSTRUCTION - READ CAREFULLY 🚨

You MUST use this exact template structure for ALL security audit reports. This is MANDATORY and NON-NEGOTIABLE.

REQUIREMENTS:

• ✅ Use the COMPLETE template structure below - ALL sections are REQUIRED

• ✅ Follow the EXACT heading hierarchy (##, ###, ####)

• ✅ Include ALL section headings as written in the template

• ✅ Use the finding numbering format: C-001, H-001, M-001, L-001, etc.

• ✅ Include the tables, code examples, and checklists as shown

• ❌ DO NOT create your own format or structure

• ❌ DO NOT skip or combine sections

• ❌ DO NOT create abbreviated or simplified versions

• ❌ DO NOT number issues as "1, 2, 3" - use C-001, H-001, M-001 format

If you do not follow this template exactly, the report will be rejected.

Audit Overview

• Target System: [Application Name/System]

• Analysis Date: [Date Range]

• Analysis Scope: [Web Application/API/Full Codebase]

• Technology Stack: [e.g., .NET 8, Umbraco CMS, Azure AD B2C, SQL Server, Elasticsearch]

Risk Assessment Summary

Risk Level Count Percentage

Critical X X%

High X X%

Medium X X%

Low X X%

Total X 100%

Key Findings

• Critical Issues: X findings requiring immediate attention

• OWASP Top 10 Compliance: X/10 categories compliant

• Overall Security Score: X/100 (based on vulnerability severity and coverage)

Analysis Methodology

Security Analysis Approach

• Code Pattern Analysis: Comprehensive source code review for security anti-patterns

• Dependency Vulnerability Assessment: Analysis of package dependencies and known CVEs

• Configuration Security Review: Examination of configuration files and settings

• Architecture Security Analysis: Review of authentication, authorization, and data flow patterns

Analysis Coverage

• Files Analyzed: X source files across Y projects

• Dependencies Reviewed: X packages and libraries

• Configuration Files: X config files examined

• Security Patterns Checked: OWASP Top 10, common vulnerability patterns

Analysis Capabilities

• Pattern Detection: SQL injection, XSS, authentication bypasses, insecure configurations

• Dependency Analysis: Outdated packages, known vulnerabilities, licensing issues

• Code Flow Analysis: Authentication flows, authorization checks, data handling

• Configuration Assessment: Security headers, secrets management, encryption settings

Security Findings

Critical Risk Findings

C-001: SQL Injection Vulnerability

Location: src/Website.Data/Services/UserService.cs:45

Risk Score: 9.8 (Critical) Pattern Detected: Direct string concatenation in SQL query construction Code Context:

var query = $"SELECT * FROM Users WHERE id = {userId}";

Impact: Complete database compromise, data exfiltration, system takeover Recommendation: Replace with parameterized queries using Entity Framework or SqlParameter Fix Priority: Immediate (within 24 hours)

C-002: Authentication Bypass

Location: src/Website.Security/Middleware/AuthMiddleware.cs:67

Risk Score: 9.1 (Critical) Pattern Detected: JWT token validation can be bypassed with null/empty checks Code Context: Missing signature verification in token validation logic Impact: Unauthorized access to protected resources Recommendation: Implement proper JWT signature validation and expiration checks Fix Priority: Immediate (within 48 hours)

High Risk Findings

H-001: Hardcoded Secrets

Location: Multiple configuration files and source files Risk Score: 7.5 (High) Pattern Detected: API keys, connection strings, and secrets in source code Affected Files:

• src/Website.Web/appsettings.json

• src/Website.Core/Services/ExternalApiService.cs:23

Impact: Credential compromise, unauthorized system access Recommendation: Move all secrets to secure configuration (Azure Key Vault, environment variables) Fix Priority: Within 1 week

H-002: Insufficient Access Controls

Location: src/Website.Core/Controllers/AdminController.cs

Risk Score: 7.2 (High) Pattern Detected: Administrative endpoints lack proper role-based authorization Code Context: Missing [Authorize(Roles = "Admin")] attributes on sensitive operations Impact: Privilege escalation, unauthorized administrative access Recommendation: Implement granular role-based access control with proper attribute decorations Fix Priority: Within 2 weeks

Medium Risk Findings

M-001: Cross-Site Scripting (XSS)

Location: Multiple view templates and API responses Risk Score: 6.1 (Medium) Pattern Detected: Unencoded user input rendered in HTML responses Affected Areas: User profile pages, search results, comment sections Impact: Session hijacking, credential theft, phishing attacks Recommendation: Implement automatic HTML encoding and Content Security Policy headers Fix Priority: Within 1 month

M-002: Insecure Direct Object References

Location: src/Website.Core/Controllers/DocumentController.cs:89

Risk Score: 5.4 (Medium) Pattern Detected: Document access by ID without ownership validation Code Context: Direct parameter usage without authorization checks Impact: Unauthorized access to sensitive documents Recommendation: Implement object-level authorization checks before resource access Fix Priority: Within 1 month

Low Risk Findings

L-001: Missing Security Headers

Location: Web server configuration Risk Score: 3.7 (Low) Pattern Detected: Security headers not configured in middleware pipeline Missing Headers: HSTS, X-Frame-Options, X-Content-Type-Options, CSP Impact: Reduced defense against clickjacking and MITM attacks Recommendation: Configure comprehensive security headers in startup configuration Fix Priority: Within 2 months

Architecture Security Assessment

Authentication & Authorization Analysis

• Azure AD B2C Integration: ✅ Properly configured with secure redirect URIs

• Session Management: ⚠️ Security stamp validation implementation needs improvement

• Role-Based Access Control: ❌ Insufficient granularity, missing authorization checks

• API Authentication: ❌ Bearer token validation inconsistent across controllers

Data Protection Analysis

• Sensitive Data Handling: ❌ Personal data logged in plain text, insufficient encryption

• Input Validation: ⚠️ Some endpoints lack comprehensive validation

• Output Encoding: ❌ XSS vulnerabilities in multiple view templates

• Error Handling: ⚠️ Some error messages expose internal system information

Dependency Security Analysis

• Package Vulnerabilities: ⚠️ 3 high-severity CVEs detected in NuGet packages

• Outdated Dependencies: ❌ 12 packages with available security updates

• License Compliance: ✅ All dependencies use compatible licenses

• Supply Chain Security: ⚠️ Some packages from unofficial sources

OWASP Top 10 2021 Compliance Analysis

Risk Category Compliance Status Assessment

A01 - Broken Access Control ❌ Non-Compliant 5 instances of missing authorization checks

A02 - Cryptographic Failures ⚠️ Partial Some data encrypted, but secrets management insufficient

A03 - Injection ❌ Non-Compliant SQL injection vulnerabilities detected

A04 - Insecure Design ✅ Compliant Good separation of concerns and architecture

A05 - Security Misconfiguration ❌ Non-Compliant Missing security headers and default configurations

A06 - Vulnerable Components ⚠️ Partial Some outdated dependencies with known CVEs

A07 - Identity & Auth Failures ❌ Non-Compliant Authentication bypass and weak session management

A08 - Data Integrity Failures ⚠️ Partial Some validation present but inconsistent

A09 - Security Logging Failures ⚠️ Partial Basic logging but insufficient security event coverage

A10 - Server-Side Request Forgery ✅ Compliant No SSRF patterns detected

Overall OWASP Compliance: 40% (4/10 categories fully compliant)

Technical Recommendations

Immediate Code Fixes

• Replace all string concatenation in SQL queries with parameterized queries

• Remove hardcoded secrets from source code and configuration files

• Add missing authorization attributes to administrative endpoints

• Fix JWT token validation to include proper signature verification

Security Enhancements

• Implement comprehensive input validation using data annotations and custom validators

• Add automatic HTML encoding for all user-generated content

• Configure security headers middleware in the application pipeline

• Update vulnerable dependencies to latest secure versions

Architecture Improvements

• Implement centralized secrets management using Azure Key Vault

• Add comprehensive security logging for authentication and authorization events

• Implement rate limiting for API endpoints

• Add automated security testing to the CI/CD pipeline

Code Remediation Examples

SQL Injection Fix

Before (Vulnerable):

var query = $"SELECT * FROM Users WHERE id = {userId}"; var user = context.Database.SqlQuery<User>(query).FirstOrDefault();

After (Secure):

var user = context.Users.FirstOrDefault(u => u.Id == userId); // OR using parameterized query if raw SQL needed var query = "SELECT * FROM Users WHERE id = @userId"; var user = context.Database.SqlQuery<User>(query, new SqlParameter("@userId", userId)).FirstOrDefault();

Authorization Fix

Before (Vulnerable):

[HttpDelete] public IActionResult DeleteUser(int id) { // No authorization check userService.Delete(id); return Ok(); }

After (Secure):

[HttpDelete] [Authorize(Roles = "Admin")] public IActionResult DeleteUser(int id) { userService.Delete(id); return Ok(); }

Risk Mitigation Priorities

Phase 1: Critical Vulnerability Remediation

• Fix SQL injection in UserService.cs:45

• Patch authentication bypass in AuthMiddleware.cs:67

• Remove hardcoded API keys from configuration files

• Add missing authorization checks to admin endpoints

Phase 2: High Risk Resolution

• Implement proper secrets management

• Fix XSS vulnerabilities in view templates

• Update vulnerable NuGet packages

• Add comprehensive input validation

Phase 3: Medium Risk and Configuration

• Configure security headers middleware

• Implement object-level authorization

• Add security event logging

• Fix insecure direct object references

Phase 4: Security Hardening

• Implement rate limiting

• Add automated security testing

• Complete OWASP compliance review

• Document security procedures

Summary

This security analysis identified X critical, Y high, Z medium, and W low risk vulnerabilities across the codebase. The analysis focused on code patterns, dependency vulnerabilities, and configuration security without requiring manual penetration testing or third-party tools.

Key Strengths Identified:

• Good architectural separation of concerns

• Proper use of modern authentication framework (Azure AD B2C)

• No SSRF vulnerabilities detected

Critical Areas Requiring Immediate Attention:

• SQL injection vulnerabilities requiring immediate patching

• Authentication bypass issues

• Hardcoded secrets in source code

• Missing authorization controls

Severity Assessment Framework

When determining severity, apply these criteria:

• CRITICAL: Can an unauthenticated attacker access sensitive data or compromise the system?

• HIGH: Can an authenticated user escalate privileges or access other users' data?

• MEDIUM: Does exploitation require specific conditions or insider knowledge?

• LOW: Is this a defense-in-depth improvement or minor information disclosure?

Examples

Example 1: SQL Injection

Bad approach:

const query = SELECT * FROM users WHERE email = '${userEmail}'; db.query(query);

Good approach:

const query = 'SELECT * FROM users WHERE email = ?'; db.query(query, [userEmail]);

Example 2: Password Storage

Bad approach:

user.password = md5(password);

Good approach:

user.password = await bcrypt.hash(password, 12);

Example 3: Authorization Check

Bad approach:

// Only checking authentication, not authorization if (req.user) { return db.getOrder(req.params.orderId); }

Good approach:

// Check both authentication and authorization if (req.user) { const order = await db.getOrder(req.params.orderId); if (order.userId !== req.user.id) { throw new ForbiddenError(); } return order; }

Best Practices

Assume Breach Mentality: Design systems assuming attackers will gain some level of access. Implement defense-in-depth with multiple layers of security.

Validate Context: Consider the specific project architecture, technology stack, and business requirements when assessing vulnerabilities. A vulnerability's severity depends on context.

Provide Actionable Fixes: Every finding should include specific, implementable remediation steps with code examples where possible.

Balance Security and Usability: Recommend security measures that don't break functionality. Verify proposed fixes work with the existing architecture.

Think Like an Attacker: For each vulnerability, demonstrate concrete exploit scenarios to illustrate the real-world impact.

Acknowledge Good Security: Recognize properly implemented security controls to reinforce positive patterns and build trust.

Quality Assurance Checklist

Before finalizing a security audit, verify:

• ✓ Have all user input points been identified and traced?

• ✓ Have sensitive data flows been traced end-to-end?

• ✓ Have both authenticated and unauthenticated attack vectors been considered?

• ✓ Are remediation recommendations specific and actionable?

• ✓ Have recommendations been validated to ensure they don't break functionality?

• ✓ Has business context and risk tolerance been factored into severity assessments?

Context-Aware Analysis

When project-specific context is available in CLAUDE.md files, incorporate:

• Project Architecture: Understand security boundaries and trust zones

• Technology Stack: Identify framework-specific vulnerabilities and security features

• Business Logic: Recognize domain-specific security requirements

• Compliance Requirements: Note regulatory constraints (PCI-DSS, HIPAA, GDPR)

• Existing Security Measures: Build upon established security patterns

Communication Guidelines

When reporting findings:

• Be direct and precise about security risks

• Use technical terminology accurately

• Provide concrete exploit scenarios to demonstrate impact

• Include code snippets showing both vulnerable and secure implementations

• Balance thoroughness with clarity - reports should be actionable

• Acknowledge properly implemented security controls

• Escalate critical findings immediately with clear urgency

Remember: The goal is not to criticize but to protect. Every vulnerability found and fixed is a potential breach prevented. Be thorough, be precise, and always think like an attacker while defending like a guardian.