qa-skills 3.0.0

package/skills/qa-security-test-writer/SKILL.md

@@ -0,0 +1,123 @@
+---
+name: qa-security-test-writer
+description: Generate security tests based on OWASP Top 10 and WSTG covering injection, XSS, CSRF, authentication bypass, and DAST using ZAP and custom scripts.
+output_dir: tests/security
+---
+
+# QA Security Test Writer
+
+## Purpose
+
+Write security tests covering OWASP Top 10 vulnerabilities and OWASP WSTG scenarios. Transform NFR security requirements (from qa-nfr-analyst) and application context into executable security test scripts (TypeScript/Python), OWASP ZAP configurations, and vulnerability reports. Support both custom script-based testing and DAST (Dynamic Application Security Testing) via ZAP.
+
+## Trigger Phrases
+
+- "Write security tests for [app/API]"
+- "Generate OWASP Top 10 tests"
+- "Create ZAP configuration for [target]"
+- "Security tests for SQL injection, XSS, CSRF"
+- "DAST scan setup with OWASP ZAP"
+- "Authentication bypass tests"
+- "Security test scripts from NFR analysis"
+- "OWASP WSTG test scenarios"
+
+## OWASP Top 10 Coverage
+
+| ID | Category | Test Focus |
+|----|----------|------------|
+| **A01** | Broken Access Control | IDOR, privilege escalation, path traversal, CORS |
+| **A02** | Cryptographic Failures | TLS, weak hashing, sensitive data in transit/rest |
+| **A03** | Injection | SQL, NoSQL, OS command, LDAP, XPath, SSTI |
+| **A04** | Insecure Design | Business logic flaws, missing security controls |
+| **A05** | Security Misconfiguration | Default creds, debug mode, verbose errors, headers |
+| **A06** | Vulnerable Components | Dependency scanning, known CVEs |
+| **A07** | Identification/Authentication Failures | Weak passwords, session fixation, credential stuffing |
+| **A08** | Software/Data Integrity Failures | Unsigned updates, deserialization, CI/CD tampering |
+| **A09** | Security Logging/Monitoring Failures | Missing audit logs, insufficient alerting |
+| **A10** | Server-Side Request Forgery | SSRF to internal services, cloud metadata |
+
+See `references/owasp-top10.md` for test scenarios and example code per category.
+
+## Tools
+
+| Tool | Purpose |
+|------|---------|
+| **OWASP ZAP** | DAST scanning, passive/active scan, API scan, authentication |
+| **Custom TypeScript** | Supertest/httpx-style API security tests, Playwright for auth flows |
+| **Custom Python** | httpx/requests API tests, pytest-based security checks |
+| **Playwright** | Authentication bypass, session management, XSS verification |
+
+## Workflow
+
+1. **Read NFR analysis** — From qa-nfr-analyst; extract security criteria and OWASP WSTG baseline
+2. **Map OWASP WSTG scenarios** — Align requirements to WSTG test IDs (see qa-nfr-analyst `references/owasp-wstg-baseline.md`)
+3. **Generate security test scripts** — TypeScript (Supertest/Playwright) or Python (httpx/pytest)
+4. **Configure ZAP** — Active/passive scan, auth, policies (see `references/zap-config.md`)
+5. **Run DAST scan** — Execute ZAP; produce vulnerability report
+
+## Test Categories
+
+| Category | Techniques | Tools |
+|----------|-------------|-------|
+| **SQL Injection** | Union-based, error-based, blind, time-based | Custom scripts, ZAP |
+| **XSS** | Reflected, stored, DOM-based | Custom scripts, Playwright, ZAP |
+| **CSRF** | Missing token, token reuse, SameSite | Custom scripts, Playwright |
+| **Authentication bypass** | Direct access, token manipulation, session fixation | Playwright, Supertest/httpx |
+| **Session management** | Timeout, logout, cookie attributes | Custom scripts |
+| **Header security** | HSTS, X-Frame-Options, CSP, X-Content-Type-Options | Custom scripts, ZAP |
+| **CORS misconfiguration** | Wildcard origin, credential leakage | Custom scripts |
+| **File upload** | Extension bypass, content-type spoofing, path traversal | Custom scripts |
+
+## Output
+
+- **Security test scripts** — `tests/security/` or `tests/security/` with TS/Python files
+- **ZAP configuration** — `zap-config.yaml` or `.zap/config` for automation
+- **Vulnerability report** — Summary of findings with severity, evidence, remediation
+
+## References
+
+- `references/owasp-top10.md` — OWASP Top 10 test scenarios with example test code
+- `references/zap-config.md` — OWASP ZAP configuration (active/passive scan, API, auth, policies)
+- `references/best-practices.md` — Safe testing, test environments, reporting, remediation
+
+## Scope
+
+**Can do (autonomous):**
+- Generate security test scripts from NFR analysis or WSTG scenarios
+- Create ZAP configuration for DAST
+- Write custom TypeScript/Python tests for injection, XSS, CSRF, auth, headers
+- Map OWASP Top 10 to test cases
+- Call qa-nfr-analyst for security NFRs when needed
+- Use qa-diagram-generator for threat/attack flow diagrams
+
+**Cannot do (requires confirmation):**
+- Run scans against production without explicit approval
+- Add dependencies not in package.json/requirements.txt
+- Override project security policy or scope
+
+**Will not do (out of scope):**
+- Execute ZAP or custom tests (user runs them)
+- Perform penetration testing beyond automated checks
+- Implement security fixes
+
+## Quality Checklist
+
+- [ ] Tests cover OWASP Top 10 categories relevant to the application
+- [ ] No hardcoded credentials; use env vars or fixtures
+- [ ] Payloads are safe (no destructive SQL/commands)
+- [ ] ZAP config targets staging/test environment only
+- [ ] Each test has clear assertion (pass = no vulnerability)
+- [ ] File naming follows `test_*_security.ts` or `test_*_security.py`
+- [ ] References to NFR IDs or WSTG IDs where applicable
+- [ ] Vulnerability report includes severity and remediation guidance
+
+## Troubleshooting
+
+| Symptom | Likely Cause | Fix |
+|---------|--------------|-----|
+| ZAP scan finds nothing | Target not reachable, auth not configured | Verify base URL; configure ZAP authentication |
+| Tests fail with 403 | WAF or rate limiting | Use test env; whitelist test IP; reduce concurrency |
+| False positives in ZAP | Aggressive policy, app-specific behavior | Tune scan policy; add context/exclusions |
+| XSS payload not reflected | Input sanitization, encoding | Try alternative payloads; check DOM sinks |
+| CSRF test passes incorrectly | SameSite=Lax blocks cross-site POST | Use same-origin test or disable SameSite in test |
+| Session tests flaky | Short timeout, shared state | Increase timeout; isolate session per test |

package/skills/qa-security-test-writer/references/best-practices.md

@@ -0,0 +1,155 @@
+# Security Testing Best Practices
+
+Best practices for safe, effective security testing. Use with qa-security-test-writer when generating tests and configuring scans.
+
+---
+
+## Safe Testing
+
+### Payload Safety
+
+| Do | Don't |
+|----|-------|
+| Use read-only or non-destructive payloads | Use `DROP TABLE`, `rm -rf`, or similar |
+| Test in isolated test/staging environments | Run against production without approval |
+| Use parameterized/safe SQL for comparison | Execute raw attacker payloads against real DB |
+| Verify rejection/encoding, not exploitation | Attempt to actually exfiltrate data |
+
+### Example: Safe SQL Injection Test
+
+```python
+# Good: Verify app rejects or sanitizes
+def test_sqli_rejected(client):
+    r = client.get("/api/search", params={"q": "' OR '1'='1"})
+    assert r.status_code in (400, 403, 422)
+    # Do NOT actually expect to retrieve all rows
+
+# Bad: Expecting to bypass and get data
+def test_sqli_bad(client):
+    r = client.get("/api/search", params={"q": "' OR 1=1--"})
+    assert len(r.json()["results"]) > 0  # Never assert success of attack
+```
+
+### Credentials and Secrets
+
+- Store test credentials in `.env` or CI secrets
+- Never commit passwords, API keys, or tokens
+- Use separate test accounts with minimal privileges
+- Rotate test credentials periodically
+
+---
+
+## Test Environments
+
+### Environment Isolation
+
+| Environment | Use For | Scan Type |
+|-------------|---------|-----------|
+| **Local** | Unit/integration security tests | Custom scripts only |
+| **Staging** | DAST, full security suite | ZAP, custom scripts |
+| **Production** | Never for active security testing | Passive monitoring only (if approved) |
+
+### Pre-Scan Checklist
+
+- [ ] Target is staging/test, not production
+- [ ] WAF/firewall allows test IP or is disabled in test env
+- [ ] Test accounts exist and credentials are in env vars
+- [ ] Destructive endpoints (delete, reset) are excluded
+- [ ] Scan window communicated to team (if shared env)
+
+---
+
+## Reporting
+
+### Vulnerability Report Structure
+
+```
+1. Executive Summary
+   - Scope, dates, high-level findings count
+
+2. Findings by Severity
+   - Critical, High, Medium, Low, Informational
+
+3. Per Finding
+   - Title, CWE, OWASP category
+   - Description, evidence (request/response snippets)
+   - Affected URL/parameter
+   - Remediation guidance
+   - References (CWE, OWASP, etc.)
+
+4. Appendix
+   - Scan config, tools, versions
+   - Exclusions and scope
+```
+
+### Severity Mapping
+
+| Severity | Typical Response |
+|----------|------------------|
+| Critical | Fix before release; block deployment |
+| High | Fix in current sprint |
+| Medium | Plan fix; accept risk if documented |
+| Low | Backlog; fix when convenient |
+| Informational | Review; no mandatory fix |
+
+### False Positive Handling
+
+- Document why a finding is a false positive
+- Add exclusion in ZAP context or scan policy
+- Re-verify after app changes
+- Do not ignore without documentation
+
+---
+
+## Remediation Guidance
+
+### Common Remediation Patterns
+
+| Vulnerability | Remediation |
+|---------------|-------------|
+| **SQL Injection** | Parameterized queries, ORM, input validation |
+| **XSS** | Output encoding, CSP, sanitization (DOMPurify, etc.) |
+| **CSRF** | CSRF tokens, SameSite cookies, double-submit cookie |
+| **Broken Access Control** | Authorization checks on every request, avoid IDOR |
+| **Missing Headers** | Add HSTS, X-Frame-Options, X-Content-Type-Options, CSP |
+| **Weak Auth** | Strong password policy, MFA, lockout, secure session |
+| **Sensitive Data Exposure** | Encrypt at rest/transit, no PII in logs/errors |
+
+### Reference Remediation Sources
+
+- [OWASP Cheat Sheet Series](https://cheatsheetseries.owasp.org/)
+- [CWE Top 25](https://cwe.mitre.org/top25/)
+- [NIST Secure Coding](https://www.nist.gov/)
+
+---
+
+## Integration with QA Workflow
+
+### CI/CD
+
+- Run security tests in CI on every PR (custom scripts)
+- Run ZAP baseline weekly or on release branches
+- Fail pipeline on critical/high (configurable)
+- Store reports as artifacts
+
+### NFR Traceability
+
+- Link security tests to NFR IDs (e.g., NFR-SEC-001)
+- Link to OWASP WSTG IDs (e.g., WSTG-INPV-05)
+- Trace findings back to requirements for coverage reporting
+
+### Collaboration
+
+- Share reports with dev and security teams
+- Triage findings in sprint planning
+- Track remediation in issue tracker
+- Re-scan after fixes to verify
+
+---
+
+## References
+
+- [OWASP Testing Guide](https://owasp.org/www-project-web-security-testing-guide/)
+- [OWASP Cheat Sheet Series](https://cheatsheetseries.owasp.org/)
+- [PTES Technical Guidelines](http://www.pentest-standard.org/)
+- [NIST SP 800-115](https://csrc.nist.gov/publications/detail/sp/800-115/final)

package/skills/qa-security-test-writer/references/owasp-top10.md

@@ -0,0 +1,331 @@
+# OWASP Top 10 Test Scenarios and Example Code
+
+Test scenarios and example test code for each OWASP Top 10 (2021) category. Use with qa-security-test-writer for generating security tests.
+
+---
+
+## A01: Broken Access Control
+
+**Focus:** IDOR, privilege escalation, path traversal, CORS misconfiguration.
+
+### IDOR (Insecure Direct Object Reference)
+
+```typescript
+// TypeScript (Supertest)
+describe('A01 - IDOR', () => {
+  it('should deny access to other user resources', async () => {
+    const userAToken = await getAuthToken('userA');
+    const userBResourceId = 'user-b-resource-id';
+    const res = await request(app)
+      .get(`/api/resources/${userBResourceId}`)
+      .set('Authorization', `Bearer ${userAToken}`)
+      .expect(403); // or 404 to avoid enumeration
+    expect(res.body).not.toHaveProperty('data');
+  });
+});
+```
+
+```python
+# Python (httpx)
+def test_idor_denies_cross_user_access(client, user_a_token, user_b_resource_id):
+    r = client.get(
+        f"/api/resources/{user_b_resource_id}",
+        headers={"Authorization": f"Bearer {user_a_token}"},
+    )
+    assert r.status_code in (403, 404)
+    assert "data" not in r.json()
+```
+
+### Path Traversal
+
+```python
+def test_path_traversal_blocked(client):
+    payloads = ["../../../etc/passwd", "..%2F..%2F..%2Fetc%2Fpasswd"]
+    for payload in payloads:
+        r = client.get(f"/api/file?path={payload}")
+        assert r.status_code in (400, 403, 404)
+        assert "root:" not in r.text
+```
+
+---
+
+## A02: Cryptographic Failures
+
+**Focus:** TLS, weak hashing, sensitive data over HTTP.
+
+### TLS and Security Headers
+
+```typescript
+describe('A02 - Cryptographic Failures', () => {
+  it('should serve over HTTPS only', async () => {
+    const res = await request('http://localhost:3000').get('/');
+    expect(res.status).toBe(301);
+    expect(res.headers.location).toMatch(/^https:\/\//);
+  });
+
+  it('should set HSTS header', async () => {
+    const res = await request(app).get('/').expect(200);
+    expect(res.headers['strict-transport-security']).toBeDefined();
+    expect(res.headers['strict-transport-security']).toMatch(/max-age=\d+/);
+  });
+});
+```
+
+```python
+def test_no_sensitive_data_over_http(base_url_http):
+    r = httpx.get(f"{base_url_http}/api/login", follow_redirects=True)
+    assert r.url.scheme == "https"
+```
+
+---
+
+## A03: Injection
+
+**Focus:** SQL, NoSQL, OS command, LDAP, XPath, SSTI.
+
+### SQL Injection
+
+```typescript
+describe('A03 - SQL Injection', () => {
+  const sqlPayloads = [
+    "' OR '1'='1",
+    "1; DROP TABLE users--",
+    "1' UNION SELECT null,null--",
+    "1' AND SLEEP(5)--",
+  ];
+
+  sqlPayloads.forEach((payload) => {
+    it(`should reject SQLi payload: ${payload.substring(0, 20)}...`, async () => {
+      const res = await request(app)
+        .get(`/api/search?q=${encodeURIComponent(payload)}`)
+        .expect((status) => status >= 400 || status === 200);
+      // Should not return SQL error or unexpected data
+      expect(res.body).not.toMatch(/syntax error|mysql|postgresql|ora-/i);
+    });
+  });
+});
+```
+
+```python
+def test_sql_injection_blocked(client):
+    payloads = ["' OR '1'='1", "1; DROP TABLE users--"]
+    for p in payloads:
+        r = client.get(f"/api/search", params={"q": p})
+        assert r.status_code in (400, 403, 422)
+        assert "syntax" not in r.text.lower() and "mysql" not in r.text.lower()
+```
+
+### XSS (Reflected)
+
+```python
+def test_reflected_xss_blocked(client):
+    payload = "<script>alert(1)</script>"
+    r = client.get(f"/api/search", params={"q": payload})
+    assert payload not in r.text
+    assert "&lt;script&gt;" in r.text or "script" not in r.text
+```
+
+---
+
+## A04: Insecure Design
+
+**Focus:** Business logic flaws, missing security controls.
+
+```typescript
+describe('A04 - Insecure Design', () => {
+  it('should enforce workflow order (no step skipping)', async () => {
+    const token = await getAuthToken('user');
+    const res = await request(app)
+      .post('/api/checkout/confirm')
+      .set('Authorization', `Bearer ${token}`)
+      .send({ orderId: '123' })
+      .expect(400); // Should require prior steps
+  });
+});
+```
+
+---
+
+## A05: Security Misconfiguration
+
+**Focus:** Default credentials, debug mode, verbose errors, headers.
+
+```typescript
+describe('A05 - Security Misconfiguration', () => {
+  it('should not expose stack traces', async () => {
+    const res = await request(app).get('/api/nonexistent').expect(404);
+    expect(res.body).not.toMatch(/at\s+\w+\.\w+|\.ts:\d+|\.js:\d+/);
+  });
+
+  it('should set secure headers', async () => {
+    const res = await request(app).get('/').expect(200);
+    expect(res.headers['x-content-type-options']).toBe('nosniff');
+    expect(res.headers['x-frame-options']).toBeDefined();
+  });
+});
+```
+
+```python
+def test_no_debug_info_in_errors(client):
+    r = client.get("/api/trigger-error")
+    assert "Traceback" not in r.text
+    assert "__file__" not in r.text
+```
+
+---
+
+## A06: Vulnerable Components
+
+**Focus:** Dependency scanning, known CVEs. Typically handled by npm audit, pip-audit, Snyk, etc. Scripts can verify scan is run:
+
+```typescript
+describe('A06 - Vulnerable Components', () => {
+  it('should have no high/critical vulnerabilities in lockfile', async () => {
+    const { stdout } = await exec('npm audit --audit-level=high');
+    expect(stdout).not.toMatch(/found \d+ high/);
+  });
+});
+```
+
+---
+
+## A07: Identification and Authentication Failures
+
+**Focus:** Weak passwords, session fixation, credential stuffing.
+
+### Session Fixation
+
+```typescript
+describe('A07 - Authentication Failures', () => {
+  it('should issue new session ID after login', async () => {
+    const { browser } = await playwright.chromium.launch();
+    const page = await browser.newPage();
+    const cookiesBefore = await page.context().cookies();
+    await page.goto('/login');
+    await page.fill('#username', 'test');
+    await page.fill('#password', 'Test123!');
+    await page.click('button[type=submit]');
+    const cookiesAfter = await page.context().cookies();
+    const sessionBefore = cookiesBefore.find((c) => c.name === 'sessionId');
+    const sessionAfter = cookiesAfter.find((c) => c.name === 'sessionId');
+    expect(sessionAfter?.value).not.toBe(sessionBefore?.value);
+  });
+});
+```
+
+### Weak Password Policy
+
+```python
+def test_weak_password_rejected(client):
+    r = client.post("/api/register", json={
+        "email": "test@example.com",
+        "password": "123",
+    })
+    assert r.status_code == 400
+    assert "password" in r.json().get("errors", {}).get("password", "").lower()
+```
+
+---
+
+## A08: Software and Data Integrity Failures
+
+**Focus:** Unsigned updates, deserialization, CI/CD tampering.
+
+```python
+def test_deserialization_safe(client):
+    # Send malicious pickle/serialized payload
+    r = client.post("/api/import", data=b"\x80\x04...", headers={"Content-Type": "application/octet-stream"})
+    assert r.status_code in (400, 415)
+```
+
+---
+
+## A09: Security Logging and Monitoring Failures
+
+**Focus:** Missing audit logs, insufficient alerting. Often manual/ops; scripts can verify logging endpoints exist:
+
+```typescript
+it('should log failed login attempts', async () => {
+  await request(app).post('/api/login').send({ user: 'x', pass: 'y' });
+  // Verify log sink received event (mock or integration)
+  expect(logSpy).toHaveBeenCalledWith(expect.objectContaining({ event: 'login_failed' }));
+});
+```
+
+---
+
+## A10: Server-Side Request Forgery (SSRF)
+
+**Focus:** SSRF to internal services, cloud metadata.
+
+```python
+def test_ssrf_blocked(client):
+    internal_urls = [
+        "http://localhost/admin",
+        "http://169.254.169.254/latest/meta-data/",
+        "http://127.0.0.1:6379/",
+    ]
+    for url in internal_urls:
+        r = client.get("/api/fetch", params={"url": url})
+        assert r.status_code in (400, 403, 422)
+```
+
+```typescript
+describe('A10 - SSRF', () => {
+  it('should block internal URL fetch', async () => {
+    const res = await request(app)
+      .get('/api/proxy?url=' + encodeURIComponent('http://169.254.169.254/'))
+      .expect(400);
+  });
+});
+```
+
+---
+
+## Cross-Cutting: XSS (Reflected, Stored, DOM)
+
+### Stored XSS
+
+```python
+def test_stored_xss_blocked(client, auth_headers):
+    payload = "<img src=x onerror=alert(1)>"
+    r = client.post("/api/comments", json={"body": payload}, headers=auth_headers)
+    assert r.status_code in (200, 201)
+    r2 = client.get("/api/comments")
+    assert payload not in r2.text
+```
+
+### DOM XSS (Playwright)
+
+```typescript
+it('should not execute DOM XSS in hash', async () => {
+  const page = await browser.newPage();
+  const dialogSpy = page.waitForEvent('dialog');
+  await page.goto('/search#' + encodeURIComponent('<img src=x onerror=alert(1)>'));
+  await expect(dialogSpy).rejects.toThrow(/timeout/);
+});
+```
+
+---
+
+## Cross-Cutting: CSRF
+
+```typescript
+describe('CSRF', () => {
+  it('should require CSRF token for state-changing requests', async () => {
+    const res = await request(app)
+      .post('/api/transfer')
+      .set('Origin', 'https://evil.com')
+      .send({ to: 'attacker', amount: 1000 });
+    expect(res.status).toBe(403);
+  });
+});
+```
+
+---
+
+## References
+
+- [OWASP Top 10 2021](https://owasp.org/Top10/)
+- [OWASP WSTG](https://owasp.org/www-project-web-security-testing-guide/)
+- [OWASP Cheat Sheet Series](https://cheatsheetseries.owasp.org/)