Does it support scanning behind a login?

Yes, it supports multiple authentication methods including form-based login, Bearer tokens, and Basic Auth to scan protected areas of your application.

What does this DAST skill actually test for?

The skill performs checks for OWASP Top 10 vulnerabilities, including XSS, SQL Injection, CSRF, missing security headers, insecure cookies, and sensitive data exposure.

Where are the security findings stored?

All detected issues are written to a standardized report at docs/security/web-findings.json, categorized by severity with remediation advice.

How does the crawling process work?

It uses a breadth-first crawling strategy via Playwright to discover pages up to a configurable depth and page limit, ensuring comprehensive site coverage.

Do I need any special prerequisites to run this?

You need the target application to be accessible and Playwright configured in your environment for the browser automation to function.

Security DAST Scanner

Name: Security DAST Scanner
Author: jpoley

byjpoley

•

セキュリティとテスト

Performs automated Dynamic Application Security Testing (DAST) on web applications using Playwright to identify OWASP Top 10 vulnerabilities.

This skill empowers Claude Code to conduct comprehensive security audits of live web applications by automating browser interactions via Playwright. It systematically crawls target URLs to detect critical vulnerabilities such as Cross-Site Scripting (XSS), SQL Injection, and Cross-Site Request Forgery (CSRF), while also performing deep analysis of security headers, cookie configurations, and TLS settings. Designed for developers and security engineers, it provides actionable findings in a standardized JSON format with remediation guidance, helping teams identify and fix security flaws early in the development lifecycle.

主な機能

01XSS and SQL injection payload injection testing

02Security header and cookie flag analysis

035 GitHub stars

04Support for authenticated scanning (Form, Bearer, and Basic)

05Unified JSON reporting with remediation steps and CWE IDs

06Automated OWASP Top 10 vulnerability scanning

ユースケース

01Running automated security audits on staging environments before production deployment

02Conducting automated regression testing for known web security vulnerabilities

03Identifying misconfigured security headers and insecure session cookies on live sites

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add jpoley/flowspec security-dast

For use in Claude.ai and ChatGPT

Download Skill