name: security-audit
description: Security audit patterns for PHP/OWASP. Use when conducting security assessments, identifying vulnerabilities (XXE, SQL injection, XSS), or CVSS scoring.
version: 1.0.0
triggers:
- security
- audit
- owasp
- vulnerabilities
- xxe
- sql injection
- xss
- cvss

Security Audit Skill

Security audits, vulnerability assessment, and secure coding patterns aligned with OWASP.

Expertise Areas

• Vulnerabilities: XXE, SQL injection, XSS, CSRF, auth flaws, insecure deserialization
• Risk Scoring: CVSS v3.1 methodology
• Secure Coding: Input validation, output encoding, cryptography, session management

OWASP Top 10 (2021)

XXE Prevention

XML External Entity injection allows attackers to read files, perform SSRF, or DoS.

Vulnerable Code

// ❌ VULNERABLE - External entities enabled
$doc = new DOMDocument();
$doc->loadXML($userInput);

Secure Code

// ✅ SECURE - Disable external entities
$doc = new DOMDocument();
$doc->loadXML(
    $userInput,
    LIBXML_NONET | LIBXML_NOENT | LIBXML_DTDLOAD
);

// Or use libxml_disable_entity_loader for older PHP
libxml_disable_entity_loader(true); // Deprecated in PHP 8.0

SimpleXML Secure Usage

// ✅ SECURE
$xml = simplexml_load_string(
    $userInput,
    'SimpleXMLElement',
    LIBXML_NONET | LIBXML_NOENT
);

SQL Injection Prevention

Vulnerable Code

// ❌ VULNERABLE - Direct string interpolation
$query = "SELECT * FROM users WHERE id = " . $_GET['id'];
$result = $pdo->query($query);

Secure Code - PDO

// ✅ SECURE - Prepared statements
$stmt = $pdo->prepare('SELECT * FROM users WHERE id = ?');
$stmt->execute([$id]);
$result = $stmt->fetchAll();

Secure Code - TYPO3 QueryBuilder

// ✅ SECURE - TYPO3 QueryBuilder with named parameters
$queryBuilder = $this->connectionPool->getQueryBuilderForTable('users');
$result = $queryBuilder
    ->select('*')
    ->from('users')
    ->where(
        $queryBuilder->expr()->eq(
            'uid',
            $queryBuilder->createNamedParameter($id, Connection::PARAM_INT)
        )
    )
    ->executeQuery()
    ->fetchAllAssociative();

XSS Prevention

Output Encoding

// ✅ SECURE - Escape all output
echo htmlspecialchars($userInput, ENT_QUOTES | ENT_HTML5, 'UTF-8');

Fluid Templates

<!-- ✅ SAFE - Auto-escaped -->
{variable}

<!-- ❌ DANGEROUS - Raw output, use only for trusted HTML -->
{variable -> f:format.raw()}

<!-- ✅ SAFE - Explicit escaping -->
{variable -> f:format.htmlspecialchars()}

Content Security Policy

// Set CSP header
header("Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline';");

CSRF Protection

Form Tokens

// Generate token
$token = bin2hex(random_bytes(32));
$_SESSION['csrf_token'] = $token;

// Validate token
if (!hash_equals($_SESSION['csrf_token'], $_POST['csrf_token'])) {
    throw new SecurityException('CSRF token mismatch');
}

TYPO3 CSRF Protection

use TYPO3\CMS\Core\FormProtection\FormProtectionFactory;

// Generate
$formProtection = $this->formProtectionFactory->createFromRequest($request);
$token = $formProtection->generateToken('myForm');

// Validate
$isValid = $formProtection->validateToken($token, 'myForm');

API Key Encryption at Rest

Never store API keys in plain text. Use sodium for encryption:

<?php
declare(strict_types=1);

final class ApiKeyEncryption
{
    public function encrypt(string $apiKey, string $key): string
    {
        $nonce = random_bytes(SODIUM_CRYPTO_SECRETBOX_NONCEBYTES);
        $encrypted = sodium_crypto_secretbox($apiKey, $nonce, $key);
        return 'enc:' . base64_encode($nonce . $encrypted);
    }

    public function decrypt(string $encrypted, string $key): string
    {
        if (!str_starts_with($encrypted, 'enc:')) {
            throw new \InvalidArgumentException('Invalid encrypted format');
        }

        $decoded = base64_decode(substr($encrypted, 4));
        $nonce = substr($decoded, 0, SODIUM_CRYPTO_SECRETBOX_NONCEBYTES);
        $ciphertext = substr($decoded, SODIUM_CRYPTO_SECRETBOX_NONCEBYTES);

        $decrypted = sodium_crypto_secretbox_open($ciphertext, $nonce, $key);
        if ($decrypted === false) {
            throw new \RuntimeException('Decryption failed');
        }

        return $decrypted;
    }
}

Password Hashing

Modern Password Hashing

// ✅ SECURE - Use password_hash with Argon2id
$hash = password_hash($password, PASSWORD_ARGON2ID);

// Verify
if (password_verify($inputPassword, $storedHash)) {
    // Valid password
}

// Check if rehash needed (algorithm upgrade)
if (password_needs_rehash($storedHash, PASSWORD_ARGON2ID)) {
    $newHash = password_hash($password, PASSWORD_ARGON2ID);
    // Update stored hash
}

TYPO3 Password Hashing

use TYPO3\CMS\Core\Crypto\PasswordHashing\PasswordHashFactory;

$hashInstance = GeneralUtility::makeInstance(PasswordHashFactory::class)
    ->getDefaultHashInstance('BE');

$hash = $hashInstance->getHashedPassword($password);
$isValid = $hashInstance->checkPassword($password, $hash);

CVSS v3.1 Scoring

Base Metrics

Severity Ratings

Example CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Score: 9.8 (Critical)

Translation:
- Network accessible
- Low complexity
- No privileges required
- No user interaction
- Unchanged scope
- High impact on C/I/A

Security Audit Checklist

Authentication & Authorization

• [ ] Passwords hashed with Argon2id or bcrypt
• [ ] MFA enabled for privileged accounts
• [ ] Session tokens regenerated on login
• [ ] Proper logout (session destruction)
• [ ] Role-based access control (RBAC)

Input Validation

• [ ] All input validated server-side
• [ ] Parameterized SQL queries (no interpolation)
• [ ] XML external entities disabled
• [ ] File uploads restricted (type, size, location)

Output Encoding

• [ ] Context-appropriate encoding (HTML, JS, URL)
• [ ] Content Security Policy configured
• [ ] X-Content-Type-Options: nosniff
• [ ] X-Frame-Options: DENY or SAMEORIGIN

Secrets Management

• [ ] API keys encrypted at rest
• [ ] Secrets not in version control
• [ ] Environment variables for config
• [ ] Key rotation policy

Transport Security

• [ ] TLS 1.2+ enforced
• [ ] HSTS header set
• [ ] Certificate validity monitored

Logging & Monitoring

• [ ] Authentication events logged
• [ ] Failed login attempts tracked
• [ ] Sensitive data not logged
• [ ] Audit trail for privileged actions

Secure Configuration (TYPO3)

// config/system/settings.php
return [
    'BE' => [
        'debug' => false,
        'lockIP' => 4,
        'lockSSL' => true,
    ],
    'FE' => [
        'debug' => false,
        'lockSSL' => true,
    ],
    'SYS' => [
        'displayErrors' => 0,
        'devIPmask' => '',
        'trustedHostsPattern' => 'example\\.com|www\\.example\\.com',
        'features' => [
            'security.backend.enforceReferrer' => true,
            'security.frontend.enforceContentSecurityPolicy' => true,
        ],
    ],
];

Related Skills

• security-incident-reporting - Post-incident documentation, NIST/SANS frameworks, DDoS post-mortem, CVE correlation
• typo3-security - TYPO3-specific hardening and configuration

Credits & Attribution

This skill is based on the excellent work by
Netresearch DTT GmbH.

Original repository: https://github.com/netresearch/security-audit-skill

Copyright (c) Netresearch DTT GmbH - Methodology and best practices
Adapted by webconsulting.at for this skill collection