Vibe Index
🎯

security-testing

🎯Skill

from proffesor-for-testing/agentic-qe

VibeIndex|
What it does

Systematically tests for security vulnerabilities using OWASP principles, scanning for authentication, injection, and configuration risks across systems and code.

πŸ“¦

Part of

proffesor-for-testing/agentic-qe(97 items)

security-testing

Installation

npm installInstall npm package
npm install -g agentic-qe
Claude CLIAdd MCP server via Claude CLI
claude mcp add aqe -- aqe-mcp
Local ServerRun MCP server locally
claude mcp add aqe -- npx agentic-qe mcp
npxRun with npx
npx @claude-flow/cli@latest swarm init --topology hierarchical-mesh
git cloneClone repository
git clone https://github.com/proffesor-for-testing/agentic-qe.git

+ 1 more commands

πŸ“– Extracted from docs: proffesor-for-testing/agentic-qe
Need more details? View full documentation on GitHub β†’
5Installs
-
AddedFeb 4, 2026
View on GitHubBack to Skills

Skill Details

SKILL.md

"Test for security vulnerabilities using OWASP principles. Use when conducting security audits, testing auth, or implementing security practices."

Overview

# Security Testing

When testing security or conducting audits:

  1. TEST OWASP Top 10 vulnerabilities systematically
  2. VALIDATE authentication and authorization on every endpoint
  3. SCAN dependencies for known vulnerabilities (npm audit)
  4. CHECK for injection attacks (SQL, XSS, command)
  5. VERIFY secrets aren't exposed in code/logs

Quick Security Checks:

  • Access control β†’ Test horizontal/vertical privilege escalation
  • Crypto β†’ Verify password hashing, HTTPS, no sensitive data exposed
  • Injection β†’ Test SQL injection, XSS, command injection
  • Auth β†’ Test weak passwords, session fixation, MFA enforcement
  • Config β†’ Check error messages don't leak info

Critical Success Factors:

  • Think like an attacker, build like a defender
  • Security is built in, not added at the end
  • Test continuously in CI/CD, not just before release

Quick Reference Card

When to Use

  • Security audits and penetration testing
  • Testing authentication/authorization
  • Validating input sanitization
  • Reviewing security configuration

OWASP Top 10 (2021)

| # | Vulnerability | Key Test |

|---|---------------|----------|

| 1 | Broken Access Control | User A accessing User B's data |

| 2 | Cryptographic Failures | Plaintext passwords, HTTP |

| 3 | Injection | SQL/XSS/command injection |

| 4 | Insecure Design | Rate limiting, session timeout |

| 5 | Security Misconfiguration | Verbose errors, exposed /admin |

| 6 | Vulnerable Components | npm audit, outdated packages |

| 7 | Auth Failures | Weak passwords, no MFA |

| 8 | Integrity Failures | Unsigned updates, malware |

| 9 | Logging Failures | No audit trail for breaches |

| 10 | SSRF | Server fetching internal URLs |

Tools

| Type | Tool | Purpose |

|------|------|---------|

| SAST | SonarQube, Semgrep | Static code analysis |

| DAST | OWASP ZAP, Burp | Dynamic scanning |

| Deps | npm audit, Snyk | Dependency vulnerabilities |

| Secrets | git-secrets, TruffleHog | Secret scanning |

Agent Coordination

  • qe-security-scanner: Multi-layer SAST/DAST scanning
  • qe-api-contract-validator: API security testing
  • qe-quality-analyzer: Security code review

---

Key Vulnerability Tests

1. Broken Access Control

```javascript

// Horizontal escalation - User A accessing User B's data

test('user cannot access another user\'s order', async () => {

const userAToken = await login('userA');

const userBOrder = await createOrder('userB');

const response = await api.get(/orders/${userBOrder.id}, {

headers: { Authorization: Bearer ${userAToken} }

});

expect(response.status).toBe(403);

});

// Vertical escalation - Regular user accessing admin

test('regular user cannot access admin', async () => {

const userToken = await login('regularUser');

expect((await api.get('/admin/users', {

headers: { Authorization: Bearer ${userToken} }

})).status).toBe(403);

});

```

2. Injection Attacks

```javascript

// SQL Injection

test('prevents SQL injection', async () => {

const malicious = "' OR '1'='1";

const response = await api.get(/products?search=${malicious});

expect(response.body.length).toBeLessThan(100); // Not all products

});

// XSS

test('sanitizes HTML output', async () => {

const xss = '';

await api.post('/comments', { text: xss });

const html = (await api.get('/comments')).body;

expect(html).toContain('<script>');

expect(html).not.toContain('