How SecurityClaw Covers the OWASP Top 10: A Complete Mapping of Automated Security Skills to Every Category
Some links in this article may be affiliate links. We may earn a commission if you purchase through them, at no extra cost to you.
SecurityClaw now has automated skills covering all 10 OWASP Top 10 (2021) categories. This guide maps every skill to its OWASP category, explains what each skill detects, identifies where coverage is deep vs thin, and notes which skills require approval before running. If you're evaluating automated security scanning coverage, this is the reference.
Coverage Overview
| OWASP Category | Skills | Depth | Status |
|---|---|---|---|
| A01 Broken Access Control | 6 | 🟢 Deep | ✅ |
| A02 Cryptographic Failures | 1 | 🟡 Basic | ✅ |
| A03 Injection | 2 | 🟢 Good | ✅ |
| A04 Insecure Design | 1 | 🟡 Basic | ✅ |
| A05 Security Misconfiguration | 3 | 🟢 Good | ✅ |
| A06 Vulnerable Components | 2 | 🟢 Good | ✅ |
| A07 Auth Failures | 4 | 🟢 Deep | ✅ |
| A08 Data Integrity | 1 | 🟡 Basic | ✅ |
| A09 Logging/Monitoring | 1 | 🟡 Basic | ✅ |
| A10 SSRF | 1 | 🟡 Basic | ✅ |
| Total | 22 | 10/10 ✅ |
22 skills across 10 categories. Coverage ranges from deep (A01 with 6 skills) to basic (A02, A04, A08, A09, A10 with 1 skill each). The deep categories have multiple detection approaches; the basic categories have a single skill that covers the primary attack vector.
A01: Broken Access Control (6 Skills) — 🟢 Deep Coverage
Broken Access Control is the #1 OWASP category and SecurityClaw's deepest coverage area. Six skills target different access control failure modes:
idor-scanner — Detects Insecure Direct Object References by manipulating resource identifiers (IDs, filenames, UUIDs) in API requests and checking if the application returns data belonging to other users. Finds horizontal privilege escalation where User A can access User B's resources.
business-logic-scanner — Tests for business logic flaws that bypass access controls through unexpected workflows: skipping steps in multi-step processes, manipulating quantities or prices, accessing admin functions through parameter tampering.
authenticated_api_sweep — Crawls authenticated API endpoints and tests each one with different privilege levels. Finds vertical privilege escalation where a regular user can access admin endpoints.
swagger_admin_probe — Discovers and tests admin endpoints exposed through Swagger/OpenAPI documentation. Many applications expose their full API schema including admin routes that should be restricted.
auth-portal-tester — Tests authentication portals for common access control weaknesses: default credentials, account enumeration via error messages, missing rate limiting on login attempts, and password reset flow vulnerabilities.
oauth_scope_abuse — Tests OAuth implementations for scope escalation: requesting broader scopes than authorized, manipulating scope parameters, and testing token exchange flows for privilege escalation.
Practical example: The idor-scanner might find that GET /api/users/123/profile returns User 123's data when called by User 456 — a classic IDOR that exposes personal information across accounts.
A02: Cryptographic Failures (1 Skill) — 🟡 Basic Coverage
tls-crypto-auditor — Audits TLS configuration for weak protocols, cipher suites, certificate issues, and missing security headers. Detects: TLS 1.0/1.1 (deprecated), weak cipher suites (RC4, DES, 3DES), expired or self-signed certificates, missing HSTS headers, and certificate chain issues.
Practical example: Finds a server still accepting TLS 1.0 connections with RC4 cipher — vulnerable to BEAST and RC4 bias attacks. Reports the specific cipher suites offered and recommends TLS 1.2+ with AEAD ciphers only.
For a deep dive on TLS auditing, see How to Audit TLS Configuration: What Your Security Scanner Should Check in 2026.
Gap: No coverage for application-layer cryptographic failures — weak password hashing (MD5, SHA1), hardcoded encryption keys, or insecure random number generation. These typically require source code analysis rather than black-box scanning.
A03: Injection (2 Skills) — 🟢 Good Coverage
xss-probe — Detects reflected Cross-Site Scripting by injecting payloads into URL parameters, form fields, and headers, then checking if the payload appears unescaped in the response. Tests multiple encoding contexts (HTML, JavaScript, attribute, URL) and bypass techniques for common WAF rules.
sqli-probe — Detects SQL injection using two techniques: error-based detection (injecting syntax that triggers database error messages) and boolean-based detection (injecting conditions that change the response based on true/false evaluation). Covers MySQL, PostgreSQL, MSSQL, and Oracle error patterns.
Practical example: The sqli-probe injects ' OR '1'='1 into a search parameter and detects that the response changes — indicating the input is being concatenated into a SQL query without parameterization.
For detailed coverage: Detecting SQL Injection and Detecting Reflected XSS.
Gap: No coverage for stored XSS (requires multi-step testing), DOM-based XSS (requires JavaScript execution), command injection, LDAP injection, or XML injection. The two skills cover the most common injection types but not the full A03 surface.
Note: Both xss-probe and sqli-probe are active injection skills — they send potentially malicious payloads to the target. They require explicit approval before running against production systems.
A04: Insecure Design (1 Skill) — 🟡 Basic Coverage
security-header-checker — Verifies the presence and correct configuration of security-related HTTP response headers: Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, and Cross-Origin headers (CORP, COEP, COOP).
Practical example: Finds a web application missing Content-Security-Policy entirely — meaning any injected script will execute without restriction. Reports the missing header and recommends a baseline CSP policy.
For the complete header guide: Security Headers in 2026: The Complete Guide.
Gap: A04 (Insecure Design) is the broadest OWASP category — it covers design-level flaws like missing rate limiting, lack of abuse case modeling, and insufficient input validation patterns. Security headers are one aspect, but the category fundamentally requires threat modeling and design review, which are difficult to automate with black-box scanning.
A05: Security Misconfiguration (3 Skills) — 🟢 Good Coverage
apigw-cors-tester — Tests CORS (Cross-Origin Resource Sharing) configuration for overly permissive policies: wildcard origins, reflected origins, null origin acceptance, and credentials with wildcard. A misconfigured CORS policy can allow any website to make authenticated requests to your API.
api-key-validator — Tests API endpoints for missing or weak authentication: endpoints accessible without API keys, keys accepted in URL parameters (logged in server access logs), and keys that work across environments (dev key accepted in production).
sensitive-service-fingerprint — Identifies exposed services that should not be publicly accessible: database admin panels (phpMyAdmin, Adminer), monitoring dashboards (Grafana, Kibana), CI/CD interfaces (Jenkins), and debug endpoints (Spring Actuator, Django debug toolbar).
Practical example: The apigw-cors-tester sends a request with Origin: https://evil.com and finds the server responds with Access-Control-Allow-Origin: https://evil.com — a reflected origin that allows any site to make cross-origin requests.
For CORS deep dive: CORS Misconfiguration: The Security Header That Breaks Everything.
A06: Vulnerable and Outdated Components (2 Skills) — 🟢 Good Coverage
tech-stack-cve-scanner — Fingerprints the target's technology stack (web server, framework, CMS, JavaScript libraries) and checks each component against known CVE databases. Detects outdated versions of Apache, Nginx, WordPress, jQuery, React, and hundreds of other components.
webmail-cve-fingerprint — Specialized scanner for webmail applications (Roundcube, Zimbra, Horde, SquirrelMail). Fingerprints the exact version and checks for known vulnerabilities. Webmail is a high-value target — a single RCE in a mail server can compromise an entire organization's email.
Practical example: The tech-stack-cve-scanner detects jQuery 3.4.1 loaded from a CDN and flags CVE-2020-11022 (XSS via HTML passed to jQuery's DOM manipulation methods). Reports the exact version, CVE ID, CVSS score, and remediation (upgrade to 3.5.0+).
A07: Identification and Authentication Failures (4 Skills) — 🟢 Deep Coverage
oauth-client-enum — Enumerates OAuth client IDs and tests for information disclosure through OAuth error messages. Finds: valid vs invalid client ID differentiation, redirect URI validation bypass, and authorization code reuse.
oauth-security-analysis — Comprehensive OAuth flow analysis: tests for PKCE enforcement, state parameter validation, token leakage via Referer headers, and implicit flow usage (deprecated in OAuth 2.1).
session-security-tester — Tests session management: cookie flags (HttpOnly, Secure, SameSite), session fixation (token rotation after login), idle/absolute timeouts, and logout invalidation (server-side session destruction).
open_redirect_hunter — Finds open redirect vulnerabilities in login flows, OAuth callbacks, and post-authentication redirects. Open redirects in auth flows enable phishing attacks that appear to originate from the legitimate application.
Practical example: The session-security-tester logs in, notes the session token, logs out, and replays the old token. If the server still accepts it, the logout doesn't invalidate server-side sessions — a finding that enables session replay attacks.
Related articles: Session Security Testing, JWT Security Vulnerabilities, Open Redirect Vulnerabilities.
A08: Software and Data Integrity Failures (1 Skill) — 🟡 Basic Coverage
sri-checker — Verifies Subresource Integrity (SRI) attributes on external script and stylesheet references. SRI ensures that resources loaded from CDNs haven't been tampered with — if a CDN is compromised, the browser will refuse to execute scripts that don't match the expected hash.
Practical example: Finds <script src="https://cdn.example.com/lib.js"> without an integrity attribute. If the CDN is compromised, the attacker's modified script will execute in every user's browser. Reports the missing SRI and provides the correct hash to add.
Gap: A08 also covers CI/CD pipeline integrity, unsigned software updates, and deserialization vulnerabilities. SRI checking covers the client-side integrity aspect but not the broader supply chain and deserialization attack surface.
A09: Security Logging and Monitoring Failures (1 Skill) — 🟡 Basic Coverage
logging-monitor-checker — Tests whether the application logs security-relevant events: failed login attempts, access control failures, input validation failures, and server-side errors. Also checks for log injection vulnerabilities (user input appearing unescaped in logs).
Practical example: Sends 10 failed login attempts and checks if the application's response behavior changes (rate limiting, account lockout, CAPTCHA). If 10 failed attempts produce no defensive response, the application likely isn't monitoring authentication failures.
Gap: A09 is inherently difficult to test from the outside. The skill can detect the absence of defensive responses to suspicious activity, but it can't verify that logs are being collected, stored securely, or monitored by a SIEM. Full A09 coverage requires access to the logging infrastructure.
A10: Server-Side Request Forgery (1 Skill) — 🟡 Basic Coverage
ssrf-probe — Tests for SSRF by injecting internal URLs into parameters that trigger server-side requests: URL fetchers, webhook configurations, file import features, and PDF generators. Tests for access to cloud metadata endpoints (AWS 169.254.169.254, GCP, Azure), internal network scanning, and protocol smuggling.
Practical example: Injects http://169.254.169.254/latest/meta-data/iam/security-credentials/ into a URL parameter and detects that the response contains AWS IAM credentials — a critical SSRF that exposes cloud infrastructure credentials.
For the full SSRF guide: Server-Side Request Forgery in 2026: What Your Scanner Should Detect.
Note: ssrf-probe is an active injection skill that sends requests to internal endpoints. It requires explicit approval before running.
Where Coverage Is Thin
Full OWASP coverage doesn't mean full security coverage. Here's where SecurityClaw's automated scanning has known limitations:
| Category | What's Covered | What's Not Covered |
|---|---|---|
| A02 | TLS configuration | Application-layer crypto (password hashing, key management) |
| A03 | Reflected XSS, error/boolean SQLi | Stored XSS, DOM XSS, command injection, LDAP injection |
| A04 | Security headers | Design-level flaws (threat modeling, abuse cases) |
| A08 | SRI on external resources | CI/CD integrity, deserialization, supply chain |
| A09 | Absence of defensive responses | Log collection, SIEM integration, alert configuration |
The pattern: SecurityClaw excels at black-box testing — sending requests and analyzing responses. It's weaker on issues that require source code access (crypto implementation), multi-step interaction (stored XSS), or infrastructure visibility (logging configuration). This is a fundamental limitation of automated scanning, not specific to SecurityClaw.
Skills Requiring Approval
Some SecurityClaw skills send potentially malicious payloads to the target. These require explicit approval before running:
| Skill | Why Approval Required | OWASP |
|---|---|---|
| xss-probe | Injects script payloads into parameters | A03 |
| sqli-probe | Injects SQL syntax into parameters | A03 |
| ssrf-probe | Sends requests to internal/cloud metadata endpoints | A10 |
All other skills are passive or semi-passive — they analyze responses to normal requests without injecting malicious payloads. These can run without approval in most scanning policies.
What's Next
SecurityClaw has achieved breadth — all 10 OWASP categories covered. The next phase is depth:
- A03 expansion: Stored XSS detection (requires multi-step testing with state), command injection probes, and template injection detection.
- A02 expansion: Certificate transparency log monitoring, weak password hashing detection (via timing analysis), and JWT-specific crypto checks.
- A05 expansion: Cloud misconfiguration scanning (S3 bucket policies, Azure blob access, GCP IAM), Kubernetes RBAC analysis, and serverless function permission auditing.
- Campaign runner integration: The 4 newest skills (sri-checker, session-security-tester, security-header-checker, logging-monitor-checker) need to be wired into the automated campaign runner for hands-off scanning.
The goal isn't to replace manual penetration testing — it's to automate the repeatable checks so human testers can focus on the creative, context-dependent work that machines can't do. SecurityClaw handles the checklist; humans handle the thinking.