Does it support frameworks like Laravel or Symfony?

Yes, the skill is designed for general PHP applications and uses patterns that apply to controllers, services, and repositories commonly found in Laravel, Symfony, and other PSR-compliant frameworks.

Can this skill detect race conditions?

Yes, it specifically looks for TOCTOU (Time-of-Check-Time-of-Use) patterns where a state change occurs between a security check and the subsequent action, potentially allowing for exploits like overselling inventory.

How does it help with OWASP compliance?

It directly targets the OWASP Top 10 A04:2021 category by identifying missing security controls at the design level, such as lack of rate limiting, missing CAPTCHAs, and predictable resource identifiers.

What is 'Insecure Design' in PHP applications?

Insecure design refers to architectural flaws where the design itself is vulnerable, such as missing brute-force protection or logic that allows client-side price manipulation, which cannot be fixed by simple code patches.

PHP Insecure Design Checker

Name: PHP Insecure Design Checker
Author: dykyi-roman

bydykyi-roman

•

Seguridad y Pruebas

Identifies architectural security flaws and business logic vulnerabilities in PHP applications based on OWASP A04 standards.

This skill empowers Claude to perform deep architectural audits of PHP codebases, focusing on 'Insecure Design' vulnerabilities that traditional implementation-level checks might miss. It scans for critical flaws such as missing account lockout mechanisms, race conditions (TOCTOU), lack of rate limiting on sensitive endpoints, and business logic errors like client-side price manipulation. By integrating these checks into the development workflow, teams can shift security left and ensure their application's underlying logic is robust against sophisticated automated attacks and logic-based exploits.

Características Principales

0145 GitHub stars

02Analyzes business logic for price manipulation and negative quantity exploits

03Verifies the presence of rate limiting and CAPTCHA on sensitive endpoints

04Detects OWASP A04:2021 Insecure Design vulnerabilities in PHP code

05Identifies missing account lockout and brute-force protection mechanisms

06Flags potential TOCTOU (Time-of-Check-Time-of-Use) race conditions

Casos de Uso

01Automating security code reviews during the development or pull request phase

02Performing security audits on legacy PHP monoliths or modern Laravel/Symfony applications

03Identifying sequential ID patterns that should be refactored to UUIDs to prevent IDOR

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add dykyi-roman/awesome-claude-code check-insecure-design

For use in Claude.ai and ChatGPT

Download Skill