Created
March 12, 2026 04:08
-
-
Save Aaronontheweb/83d1fc677c87e24c6ee4c779231dc096 to your computer and use it in GitHub Desktop.
OWASP Security Scanner - Multi-agent OpenProse workflow for ASP.NET Core / Blazor Server apps (ASVS Level 1 & 2 / CASA Tier 2)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # OWASP Security Scanner | |
| # | |
| # Multi-agent workflow to find OWASP vulnerabilities in your ASP.NET Core app, | |
| # critique the analysis for false positives, and propose fixes. | |
| # | |
| # Usage: prose run .prose/owasp-security-scan.prose | |
| # | |
| # This covers application-level security (what CASA Tier 2 checks). | |
| # Infrastructure (Kubernetes, etc.) is NOT in scope for Tier 2. | |
| # | |
| # REQUIREMENTS: | |
| # - OWASP ASVS MCP Server must be installed and configured | |
| # - Install: ~/.claude/mcp-servers/owasp-asvs-mcp-server/ | |
| # - See: https://github.com/clintcan/owasp-asvs-mcp-server | |
| input focus_area: "all" # Options: all, auth, injection, xss, access-control, crypto, data-exposure | |
| # ============================================================================ | |
| # Prerequisite Check - Fail fast if OWASP ASVS MCP is not available | |
| # ============================================================================ | |
| let mcp_check = session "Verify OWASP ASVS MCP server" | |
| prompt: """ | |
| CRITICAL: Before proceeding, verify the OWASP ASVS MCP server is available. | |
| Try calling the MCP tool: get_category_summary | |
| If this fails or the tool is not found, report failure. | |
| If successful, report the ASVS version and number of requirements loaded. | |
| """ | |
| if **OWASP ASVS MCP server is not available**: | |
| throw "OWASP ASVS MCP server is required but not available. Install from https://github.com/clintcan/owasp-asvs-mcp-server" | |
| # ============================================================================ | |
| # Agent Definitions | |
| # ============================================================================ | |
| agent owasp_scanner: | |
| model: opus | |
| prompt: """ | |
| You are an OWASP security specialist. You know the OWASP Top 10 and ASVS deeply. | |
| Your approach: | |
| 1. Methodically check each vulnerability category | |
| 2. Cite specific code locations (file:line) | |
| 3. Rate severity: Critical, High, Medium, Low | |
| 4. Explain the attack vector clearly | |
| 5. No false positives - only report confirmed issues | |
| Focus on ASP.NET Core, Blazor Server, and Akka.NET patterns. | |
| """ | |
| agent security_critic: | |
| model: opus | |
| prompt: """ | |
| You are a security review skeptic. Your job is to challenge findings. | |
| For each reported vulnerability: | |
| 1. Is this actually exploitable in this context? | |
| 2. Are there mitigating controls already in place? | |
| 3. Is this a false positive due to framework protections? | |
| 4. What's the realistic attack scenario? | |
| ASP.NET Core has built-in protections. Blazor Server runs on the server. | |
| Don't let scanners cry wolf about things the framework handles. | |
| """ | |
| agent fix_architect: | |
| model: opus | |
| prompt: """ | |
| You are a security remediation expert for .NET applications. | |
| For confirmed vulnerabilities: | |
| 1. Propose the minimal fix | |
| 2. Show before/after code | |
| 3. Explain why this fix works | |
| 4. Note any breaking changes | |
| 5. Suggest a test to verify the fix | |
| Prefer framework-native solutions over custom code. | |
| """ | |
| agent aspnet_specialist: | |
| model: opus | |
| prompt: """ | |
| You are an ASP.NET Core security specialist with deep knowledge of: | |
| - OWASP Cheat Sheet Series (especially .NET Security Cheat Sheet) | |
| - ASP.NET Core built-in security features | |
| - Blazor Server security model | |
| - Entity Framework Core security patterns | |
| - Authentication/Authorization middleware | |
| Your role is to cross-reference findings against ASP.NET Core best practices: | |
| 1. Identify where the framework already provides protection | |
| 2. Flag missing use of built-in security features | |
| 3. Recommend framework-native solutions over custom code | |
| 4. Check for proper middleware ordering (security middleware must come first) | |
| 5. Verify Data Protection API usage for sensitive data | |
| Reference: https://cheatsheetseries.owasp.org/cheatsheets/DotNet_Security_Cheat_Sheet.html | |
| """ | |
| # ============================================================================ | |
| # Phase 1: Parallel OWASP Category Scans | |
| # ============================================================================ | |
| session """ | |
| Starting OWASP security scan. | |
| # TODO: Update the repository structure below to match your project layout | |
| Repository structure: | |
| - src/MyApp.Api/ - ASP.NET Core API + Blazor Server UI | |
| - src/MyApp.Domain/ - Domain entities | |
| - src/MyApp.Infrastructure/ - Services, DbContext | |
| - src/MyApp.Actors/ - Akka.NET actors (if applicable) | |
| Focus area: {focus_area} | |
| First, let me understand the authentication and authorization setup. | |
| Read: | |
| - src/MyApp.Api/Authentication/ | |
| - src/MyApp.Api/Authorization/ | |
| """ | |
| # First, load the ASVS requirements we'll check against | |
| let asvs_requirements = session "Load ASVS requirements for target areas" | |
| prompt: """ | |
| Use the OWASP ASVS MCP tools to load requirements for our scan. | |
| Call these MCP tools: | |
| 1. get_requirements_by_category with category="Access Control" | |
| 2. get_requirements_by_category with category="Authentication" | |
| 3. get_requirements_by_category with category="Session Management" | |
| 4. get_requirements_by_category with category="Validation, Sanitization and Encoding" | |
| 5. get_requirements_by_category with category="Stored Cryptography" | |
| 6. get_requirements_by_category with category="Error Handling and Logging" | |
| For each, filter to Level 1 and Level 2 (what CASA Tier 2 requires). | |
| Compile a checklist of specific ASVS requirement IDs we need to verify. | |
| """ | |
| parallel: | |
| # A1: Broken Access Control | |
| access_control_scan = session: owasp_scanner | |
| prompt: """ | |
| **A1: Broken Access Control** - Check for: | |
| Use the ASVS requirements from the MCP server as your checklist. | |
| Call: search_requirements with query="access control" to get specific IDs. | |
| 1. Multi-tenancy bypass - Can user A access user B's data? | |
| - Check all service methods for tenant/organization ID filtering | |
| - Check API endpoints for proper authorization | |
| - Check external integrations for tenant boundaries | |
| 2. Privilege escalation - Can regular user access admin functions? | |
| - Check authorization policies | |
| - Check role enforcement | |
| 3. IDOR (Insecure Direct Object Reference) | |
| - Can users manipulate IDs to access unauthorized resources? | |
| - Check: entity IDs, resource IDs, webhook IDs, token IDs | |
| Search patterns: | |
| - Methods that query by ID without tenant/ownership check | |
| - Endpoints missing [Authorize] attributes | |
| - Services that don't validate ownership | |
| Report each finding with file:line reference. | |
| """ | |
| # A2: Cryptographic Failures | |
| crypto_scan = session: owasp_scanner | |
| prompt: """ | |
| **A2: Cryptographic Failures** - Check for: | |
| 1. Sensitive data exposure | |
| - Are OAuth tokens encrypted at rest? | |
| - Are API tokens properly hashed (not plaintext)? | |
| - Is PII logged anywhere? | |
| 2. Weak cryptography | |
| - Check encryption algorithms used | |
| - Check key management | |
| 3. Data in transit | |
| - HTTPS enforcement | |
| - Secure cookie flags | |
| Search for: | |
| - Plaintext storage of secrets | |
| - MD5 or SHA1 for security purposes | |
| - Missing encryption on sensitive fields | |
| Report each finding with file:line reference. | |
| """ | |
| # A3: Injection | |
| injection_scan = session: owasp_scanner | |
| prompt: """ | |
| **A3: Injection** - Check for: | |
| 1. SQL Injection | |
| - Raw SQL queries with string concatenation | |
| - EF Core - check for FromSqlRaw with user input | |
| - Check any Dapper or raw ADO.NET usage | |
| 2. Command Injection | |
| - Process.Start with user input | |
| - Shell commands | |
| 3. LDAP/XPath/other injection | |
| - Unlikely in most apps but check | |
| Note: EF Core parameterizes by default. Focus on raw SQL. | |
| Report each finding with file:line reference. | |
| """ | |
| # A7: Cross-Site Scripting (XSS) | |
| xss_scan = session: owasp_scanner | |
| prompt: """ | |
| **A7: Cross-Site Scripting** - Check for: | |
| 1. Blazor Server context | |
| - Blazor auto-encodes by default | |
| - Check for MarkupString or @((MarkupString)...) | |
| - Check for JavaScript interop with user data | |
| 2. API responses | |
| - Content-Type headers | |
| - JSON encoding | |
| 3. Rich content rendering | |
| - How is user-supplied HTML displayed? | |
| - Is it sanitized before rendering? | |
| Note: Blazor Server has strong XSS protection. Focus on: | |
| - Raw HTML rendering | |
| - JavaScript interop | |
| - User-generated content display | |
| Report each finding with file:line reference. | |
| """ | |
| # A5: Security Misconfiguration | |
| config_scan = session: owasp_scanner | |
| prompt: """ | |
| **A5: Security Misconfiguration** - Check for: | |
| 1. Debug/development settings in production | |
| - Detailed error messages exposed | |
| - Stack traces in responses | |
| - Swagger enabled in production? | |
| 2. Default credentials | |
| - Hardcoded secrets | |
| - Default API keys | |
| 3. Missing security headers | |
| - CORS configuration | |
| - CSP headers | |
| - X-Frame-Options | |
| 4. Verbose logging | |
| - Sensitive data in logs | |
| - Token values logged | |
| Search for: | |
| - IsDevelopment() checks that might leak | |
| - appsettings.json with secrets | |
| - Missing security headers | |
| Report each finding with file:line reference. | |
| """ | |
| # A4: Insecure Design (Business Logic) | |
| design_scan = session: owasp_scanner | |
| prompt: """ | |
| **A4: Insecure Design** - Check for: | |
| 1. Rate limiting | |
| - Are API endpoints rate limited? | |
| - Can someone abuse high-frequency operations? | |
| - External API quota protection? | |
| 2. Business logic flaws | |
| - Can items be approved multiple times? | |
| - Can rejected items be re-approved? | |
| - State machine violations? | |
| 3. Authentication flows | |
| - OAuth state parameter validation | |
| - Token refresh vulnerabilities | |
| - Session fixation | |
| Report each finding with file:line reference. | |
| """ | |
| # ASP.NET Core Best Practices Cross-Reference | |
| aspnet_best_practices_scan = session: aspnet_specialist | |
| prompt: """ | |
| **ASP.NET Core OWASP Best Practices** - Cross-reference against .NET Security Cheat Sheet: | |
| Reference: https://cheatsheetseries.owasp.org/cheatsheets/DotNet_Security_Cheat_Sheet.html | |
| 1. **Authentication & Session Management** | |
| - Is ASP.NET Core Identity or external auth properly configured? | |
| - Cookie authentication settings (HttpOnly, Secure, SameSite)? | |
| - Session timeout and sliding expiration? | |
| - Is session invalidation implemented on password change? | |
| - Anti-forgery token usage in forms? | |
| 2. **Data Protection** | |
| - Is IDataProtectionProvider used for encrypting tokens? | |
| - Are connection strings in User Secrets or environment vars (not appsettings.json)? | |
| - Is the Data Protection key ring properly configured for multi-instance? | |
| 3. **Input Validation** | |
| - Model validation attributes on all DTOs? | |
| - Is [ValidateAntiForgeryToken] on POST actions? | |
| - File upload restrictions (size, type, content validation)? | |
| 4. **Output Encoding** | |
| - Blazor Server auto-encoding verification | |
| - Any use of Html.Raw() or MarkupString? | |
| - JSON serialization settings (no type name handling)? | |
| 5. **Error Handling** | |
| - Is UseExceptionHandler configured for production? | |
| - Are stack traces hidden in production (UseDeveloperExceptionPage only in dev)? | |
| - Custom error pages configured? | |
| 6. **Security Headers** | |
| - Is HSTS enabled with UseHsts()? | |
| - X-Content-Type-Options: nosniff | |
| - X-Frame-Options or CSP frame-ancestors | |
| - Referrer-Policy header | |
| 7. **Middleware Ordering** | |
| - Authentication before Authorization? | |
| - HTTPS redirection early in pipeline? | |
| - CORS configured correctly? | |
| 8. **EF Core Security** | |
| - No string interpolation in FromSqlRaw? | |
| - Parameterized queries only? | |
| - No mass assignment vulnerabilities (use DTOs, not entities in binding)? | |
| 9. **Blazor Server Specific** | |
| - SignalR hub authorization? | |
| - Circuit-level state isolation? | |
| - No sensitive data in component parameters? | |
| For each check, report: | |
| - COMPLIANT: Framework protection confirmed at [file:line] | |
| - MISSING: Best practice not implemented | |
| - PARTIAL: Some controls present but incomplete | |
| Report file:line references for all findings. | |
| """ | |
| # ============================================================================ | |
| # Phase 2: Critique and Validation | |
| # ============================================================================ | |
| session "Compile all scan results into a single findings list, organized by severity." | |
| context: { access_control_scan, crypto_scan, injection_scan, xss_scan, config_scan, design_scan, aspnet_best_practices_scan } | |
| let raw_findings = session "Extract findings list" | |
| prompt: """ | |
| Create a numbered list of all findings: | |
| Format: | |
| [#] [SEVERITY] [CATEGORY] - Title | |
| File: path:line | |
| Issue: description | |
| Attack: how it could be exploited | |
| ASP.NET Core: [COMPLIANT/MISSING/PARTIAL] - framework status | |
| Include findings from both OWASP category scans AND ASP.NET Core best practices scan. | |
| Highlight where framework protections are missing or misconfigured. | |
| """ | |
| context: { access_control_scan, crypto_scan, injection_scan, xss_scan, config_scan, design_scan, aspnet_best_practices_scan } | |
| # Critical review - cross-reference with ASP.NET Core best practices | |
| let validated_findings = session: security_critic | |
| prompt: """ | |
| Review each finding and validate or dispute it. | |
| For each finding, provide: | |
| - CONFIRMED / DISPUTED / NEEDS-MORE-INFO | |
| - Reasoning | |
| - If disputed: what mitigation exists | |
| - ASP.NET Core status: Does the framework handle this? Reference specific middleware/feature. | |
| Cross-reference against ASP.NET Core built-in protections: | |
| - Blazor Server auto-encodes output (XSS protection) | |
| - EF Core parameterizes queries by default (SQL injection protection) | |
| - ASP.NET Core Identity handles password hashing | |
| - Data Protection API for encryption | |
| - Anti-forgery tokens for CSRF | |
| - HTTPS redirection middleware | |
| Be rigorous. Only CONFIRM findings where: | |
| 1. Framework protection is not applicable to this scenario | |
| 2. Framework protection is explicitly bypassed in code | |
| 3. Required framework feature is not configured/enabled | |
| Reference: https://cheatsheetseries.owasp.org/cheatsheets/DotNet_Security_Cheat_Sheet.html | |
| """ | |
| context: { raw_findings, aspnet_best_practices_scan } | |
| # ============================================================================ | |
| # Phase 3: Fix Proposals | |
| # ============================================================================ | |
| let confirmed_issues = session "Filter confirmed issues" | |
| prompt: "Extract only the CONFIRMED findings, sorted by severity (Critical first)." | |
| context: validated_findings | |
| session: fix_architect | |
| prompt: """ | |
| For each confirmed vulnerability, propose a fix. | |
| Format for each: | |
| ## [Finding Title] | |
| **Severity:** [level] | |
| **File:** [path:line] | |
| **Current Code:** | |
| ```csharp | |
| // problematic code | |
| ``` | |
| **Proposed Fix:** | |
| ```csharp | |
| // fixed code | |
| ``` | |
| **Why This Works:** | |
| [explanation] | |
| **Test to Add:** | |
| [describe test case] | |
| """ | |
| context: confirmed_issues | |
| # ============================================================================ | |
| # Phase 4: Summary Report | |
| # ============================================================================ | |
| output report = session "Generate final security report" | |
| prompt: """ | |
| Generate a security assessment report. | |
| IMPORTANT: Use the OWASP ASVS MCP tools to map each finding to specific ASVS requirement IDs. | |
| Call: map_requirement_to_compliance for each finding to show compliance impact. | |
| # ASP.NET Core OWASP Security Assessment | |
| ## Executive Summary | |
| - Total findings: X | |
| - Confirmed vulnerabilities: X | |
| - False positives filtered: X | |
| - ASVS Level 1 compliance: X% | |
| - ASVS Level 2 compliance: X% | |
| - ASP.NET Core best practices: X/9 categories compliant | |
| ## Severity Breakdown | |
| - Critical: X | |
| - High: X | |
| - Medium: X | |
| - Low: X | |
| ## ASP.NET Core Security Posture | |
| Summarize the ASP.NET Core best practices scan results: | |
| | Category | Status | Notes | | |
| |----------|--------|-------| | |
| | Authentication & Session | COMPLIANT/MISSING/PARTIAL | | | |
| | Data Protection | COMPLIANT/MISSING/PARTIAL | | | |
| | Input Validation | COMPLIANT/MISSING/PARTIAL | | | |
| | Output Encoding | COMPLIANT/MISSING/PARTIAL | | | |
| | Error Handling | COMPLIANT/MISSING/PARTIAL | | | |
| | Security Headers | COMPLIANT/MISSING/PARTIAL | | | |
| | Middleware Ordering | COMPLIANT/MISSING/PARTIAL | | | |
| | EF Core Security | COMPLIANT/MISSING/PARTIAL | | | |
| | Blazor Server Security | COMPLIANT/MISSING/PARTIAL | | | |
| Reference: https://cheatsheetseries.owasp.org/cheatsheets/DotNet_Security_Cheat_Sheet.html | |
| ## Confirmed Vulnerabilities | |
| For each finding, include: | |
| - ASVS Requirement ID (e.g., V3.2.1) | |
| - ASVS Requirement text (from MCP) | |
| - ASP.NET Core best practice reference (if applicable) | |
| - Finding details | |
| - Proposed fix | |
| ## ASVS Compliance Checklist | |
| Use get_requirements_by_level with level=1 and level=2. | |
| Mark each requirement as: | |
| - [x] PASS - Verified compliant | |
| - [ ] FAIL - Finding identified | |
| - [?] UNKNOWN - Not assessed | |
| ## Disputed Findings | |
| [List findings that were false positives and why] | |
| [For each, explain the ASP.NET Core protection that mitigates the risk] | |
| ## Recommendations | |
| [Prioritized action items with ASVS requirement IDs] | |
| [Include ASP.NET Core-specific recommendations where framework features should be enabled] | |
| ## CASA Tier 2 Readiness | |
| Based on this assessment: | |
| 1. Is the application ready for CASA Tier 2? (Yes/No) | |
| 2. What ASVS requirements must be addressed first? | |
| 3. What ASP.NET Core best practices need implementation? | |
| 4. Estimated remediation effort | |
| Call: recommend_priority_controls with target_level=2 for prioritized next steps. | |
| """ | |
| context: { validated_findings, confirmed_issues, asvs_requirements, aspnet_best_practices_scan } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment