Owasp Top 10

Name: Owasp Top 10
Author: microsoft

microsoft/hve-core

Map findings and review questions to OWASP Web Application Security Top 10 (2025) IDs while hardening a solo-built web app before ship.

Install

npx skills add https://github.com/microsoft/hve-core --skill owasp-top-10

What is this skill?

Indexed catalog of all 10 OWASP Web Top 10:2025 items (A01–A10) with title and category
Cross-reference matrix tying each vulnerability doc to a consistent 9-part structure
Categories span access control, supply chain, crypto, injection, design, auth, integrity, logging, and error handling
2025 edition identifiers for citations in PRs, threat models, and agent security passes

Adoption & trust: 59 installs on skills.sh; 1.1k GitHub stars; 3/3 security scanners passed (skills.sh audits).

Recommended Skills

Azure Compliancemicrosoft/azure-skills

Azure Compliance is a Microsoft agent skill for solo builders and small teams who need structured security and complianc…373k installs·1.2k stars

Openclaw Secure Linux Cloudxixu-me/skills

OpenClaw Secure Linux Cloud guides a hardened VPS deployment—rootless Podman, loopback-only gateway, SSH-tunneled Contro…201k installs·61 stars

Entra Agent Idmicrosoft/azure-skills

entra-agent-id is a Microsoft-authored agent skill for provisioning and operating OAuth-capable identities tailored to A…99.1k installs·1.2k stars

Firebase Security Rules Auditorfirebase/agent-skills

Firebase Security Rules Auditor turns your agent into a senior penetration-style reviewer for Firestore rulesets. Solo b…40.3k installs·345 stars

Firestore Security Rules Auditorfirebase/agent-skills

Firestore-security-rules-auditor is a checker skill for solo builders and small teams shipping Firebase-backed apps who …20.3k installs·345 stars

Skill Vetteruseai-pro/openclaw-skills-security

Skill Vetter is a security-first OpenClaw agent skill that makes your coding agent behave like a pre-install auditor for…19.2k installs·62 stars

Journey fit

Primary fit

Security review and remediation sit in Ship, but the index is referenced whenever you audit or design controls. Canonical shelf is security: A01–A10 categories align with access control, injection, auth, logging, and related ship-time checks.

Common Questions / FAQ

Is Owasp Top 10 safe to install?

skills.sh reports 3 of 3 security scanners passed. Review the Security Audits panel on this page before installing in production.

SKILL.md

READMESKILL.md - Owasp Top 10

# 00 Vulnerability Index

This document provides the index for the OWASP Web Application Security Top 10 vulnerabilities.
Each entry includes its identifier, title, and primary category.

## Vulnerability catalog

| ID       | Title                                  | Category                 |
|----------|----------------------------------------|--------------------------|
| A01:2025 | Broken Access Control                  | Access Control           |
| A02:2025 | Security Misconfiguration              | Configuration Management |
| A03:2025 | Software Supply Chain Failures         | Supply Chain             |
| A04:2025 | Cryptographic Failures                 | Cryptography             |
| A05:2025 | Injection                              | Input Validation         |
| A06:2025 | Insecure Design                        | Architecture and Design  |
| A07:2025 | Authentication Failures                | Authentication           |
| A08:2025 | Software or Data Integrity Failures    | Data Integrity           |
| A09:2025 | Security Logging and Alerting Failures | Logging and Monitoring   |
| A10:2025 | Mishandling of Exceptional Conditions  | Error Handling           |

## Cross-reference matrix

Each vulnerability document follows a consistent structure:

1. Description — what the vulnerability is and how it manifests in web applications.
2. Risk — concrete consequences of exploitation and business impact.
3. Vulnerability checklist — indicators that the application is exposed.
4. Prevention controls — defensive measures and rectification steps.
5. Example attack scenarios — realistic exploitation narratives.
6. Detection guidance — signals and methods to identify exposure.
7. Remediation — immediate and long-term actions to contain and resolve.

## Category groupings

### Access Control

* A01:2025 Broken Access Control

### Configuration Management

* A02:2025 Security Misconfiguration

### Supply Chain

* A03:2025 Software Supply Chain Failures

### Cryptography

* A04:2025 Cryptographic Failures

### Input Validation

* A05:2025 Injection

### Architecture and Design

* A06:2025 Insecure Design

### Authentication

* A07:2025 Authentication Failures

### Data Integrity

* A08:2025 Software or Data Integrity Failures

### Logging and Monitoring

* A09:2025 Security Logging and Alerting Failures

### Error Handling

* A10:2025 Mishandling of Exceptional Conditions

---

Content derived from works by the OWASP Foundation, licensed under CC BY-SA 4.0
(<https://creativecommons.org/licenses/by-sa/4.0/>).
Modifications: Restructured into agent-consumable reference format with added
detection and remediation guidance.

*🤖 Crafted with precision by ✨Copilot following brilliant human instruction, then carefully refined by our team of discerning human reviewers.*


---
title: 'A01: Broken Access Control'
description: OWASP Web Top 10 reference for broken access control vulnerabilities including privilege escalation and unauthorized resource access
---

# 01 Broken Access Control

Identifier: A01:2025
Category: Access Control

## Description

Broken access control occurs when an application fails to enforce policies that prevent users from
acting outside their intended permissions.
This vulnerability allows unauthorized information disclosure, modification or destruction of data,
or performing business functions beyond the user's authorized limits.
Common manifestations include violation of the principle of least privilege, bypassing access
control checks through URL parameter tampering or API request modification, insecure direct object
references, missing access controls on API endpoints, elevation of privilege, metadata
manipulation of tokens and cookies, and CORS misconfiguration.
Access control weaknesses are pervasive across web applications, with 100% of tes

What is this skill?

Indexed catalog of all 10 OWASP Web Top 10:2025 items (A01–A10) with title and category

Cross-reference matrix tying each vulnerability doc to a consistent 9-part structure

Categories span access control, supply chain, crypto, injection, design, auth, integrity, logging, and error handling

2025 edition identifiers for citations in PRs, threat models, and agent security passes

Adoption & trust: 59 installs on skills.sh; 1.1k GitHub stars; 3/3 security scanners passed (skills.sh audits).

Journey fit

Primary fit

SKILL.md

READMESKILL.md - Owasp Top 10

# 00 Vulnerability Index

This document provides the index for the OWASP Web Application Security Top 10 vulnerabilities.
Each entry includes its identifier, title, and primary category.

## Vulnerability catalog

| ID       | Title                                  | Category                 |
|----------|----------------------------------------|--------------------------|
| A01:2025 | Broken Access Control                  | Access Control           |
| A02:2025 | Security Misconfiguration              | Configuration Management |
| A03:2025 | Software Supply Chain Failures         | Supply Chain             |
| A04:2025 | Cryptographic Failures                 | Cryptography             |
| A05:2025 | Injection                              | Input Validation         |
| A06:2025 | Insecure Design                        | Architecture and Design  |
| A07:2025 | Authentication Failures                | Authentication           |
| A08:2025 | Software or Data Integrity Failures    | Data Integrity           |
| A09:2025 | Security Logging and Alerting Failures | Logging and Monitoring   |
| A10:2025 | Mishandling of Exceptional Conditions  | Error Handling           |

## Cross-reference matrix

Each vulnerability document follows a consistent structure:

1. Description — what the vulnerability is and how it manifests in web applications.
2. Risk — concrete consequences of exploitation and business impact.
3. Vulnerability checklist — indicators that the application is exposed.
4. Prevention controls — defensive measures and rectification steps.
5. Example attack scenarios — realistic exploitation narratives.
6. Detection guidance — signals and methods to identify exposure.
7. Remediation — immediate and long-term actions to contain and resolve.

## Category groupings

### Access Control

* A01:2025 Broken Access Control

### Configuration Management

* A02:2025 Security Misconfiguration

### Supply Chain

* A03:2025 Software Supply Chain Failures

### Cryptography

* A04:2025 Cryptographic Failures

### Input Validation

* A05:2025 Injection

### Architecture and Design

* A06:2025 Insecure Design

### Authentication

* A07:2025 Authentication Failures

### Data Integrity

* A08:2025 Software or Data Integrity Failures

### Logging and Monitoring

* A09:2025 Security Logging and Alerting Failures

### Error Handling

* A10:2025 Mishandling of Exceptional Conditions

---

Content derived from works by the OWASP Foundation, licensed under CC BY-SA 4.0
(<https://creativecommons.org/licenses/by-sa/4.0/>).
Modifications: Restructured into agent-consumable reference format with added
detection and remediation guidance.

*🤖 Crafted with precision by ✨Copilot following brilliant human instruction, then carefully refined by our team of discerning human reviewers.*


---
title: 'A01: Broken Access Control'
description: OWASP Web Top 10 reference for broken access control vulnerabilities including privilege escalation and unauthorized resource access
---

# 01 Broken Access Control

Identifier: A01:2025
Category: Access Control

## Description

Broken access control occurs when an application fails to enforce policies that prevent users from
acting outside their intended permissions.
This vulnerability allows unauthorized information disclosure, modification or destruction of data,
or performing business functions beyond the user's authorized limits.
Common manifestations include violation of the principle of least privilege, bypassing access
control checks through URL parameter tampering or API request modification, insecure direct object
references, missing access controls on API endpoints, elevation of privilege, metadata
manipulation of tokens and cookies, and CORS misconfiguration.
Access control weaknesses are pervasive across web applications, with 100% of tes

Install

What is this skill?

Recommended Skills

Journey fit

Is Owasp Top 10 safe to install?

SKILL.md

This week for builders

Install

What is this skill?

Recommended Skills

Journey fit

Is Owasp Top 10 safe to install?

SKILL.md