Does it support scanning behind a login?

Yes, it supports multiple authentication methods including form-based login, Bearer tokens, and Basic Auth to scan protected areas of your application.

What does this DAST skill actually test for?

The skill performs checks for OWASP Top 10 vulnerabilities, including XSS, SQL Injection, CSRF, missing security headers, insecure cookies, and sensitive data exposure.

Where are the security findings stored?

All detected issues are written to a standardized report at docs/security/web-findings.json, categorized by severity with remediation advice.

How does the crawling process work?

It uses a breadth-first crawling strategy via Playwright to discover pages up to a configurable depth and page limit, ensuring comprehensive site coverage.

Do I need any special prerequisites to run this?

You need the target application to be accessible and Playwright configured in your environment for the browser automation to function.

Security DAST Scanner

Name: Security DAST Scanner
Author: jpoley

byjpoley

•

セキュリティとテスト

Performs automated Dynamic Application Security Testing (DAST) on web applications using Playwright to identify OWASP Top 10 vulnerabilities.

概要

This skill empowers Claude Code to conduct comprehensive security audits of live web applications by automating browser interactions via Playwright. It systematically crawls target URLs to detect critical vulnerabilities such as Cross-Site Scripting (XSS), SQL Injection, and Cross-Site Request Forgery (CSRF), while also performing deep analysis of security headers, cookie configurations, and TLS settings. Designed for developers and security engineers, it provides actionable findings in a standardized JSON format with remediation guidance, helping teams identify and fix security flaws early in the development lifecycle.

主な機能

XSS and SQL injection payload injection testing
Security header and cookie flag analysis
5 GitHub stars
Support for authenticated scanning (Form, Bearer, and Basic)
Unified JSON reporting with remediation steps and CWE IDs
Automated OWASP Top 10 vulnerability scanning

ユースケース

Running automated security audits on staging environments before production deployment
Conducting automated regression testing for known web security vulnerabilities
Identifying misconfigured security headers and insecure session cookies on live sites

概要

主な機能

XSS and SQL injection payload injection testing
Security header and cookie flag analysis
5 GitHub stars
Support for authenticated scanning (Form, Bearer, and Basic)
Unified JSON reporting with remediation steps and CWE IDs
Automated OWASP Top 10 vulnerability scanning

ユースケース

Running automated security audits on staging environments before production deployment
Conducting automated regression testing for known web security vulnerabilities
Identifying misconfigured security headers and insecure session cookies on live sites