performing-web-application-vulnerability-triage▌
mukul975/Anthropic-Cybersecurity-Skills · updated May 25, 2026
MDX-style export adds YAML metadata + attribution linking explainx.ai and this canonical listing URL.
Triage web application vulnerability findings from DAST/SAST scanners using OWASP risk rating methodology to separate true positives from false positives and prioritize remediation.
| name | performing-web-application-vulnerability-triage |
| description | Triage web application vulnerability findings from DAST/SAST scanners using OWASP risk rating methodology to separate true positives from false positives and prioritize remediation. |
| domain | cybersecurity |
| subdomain | vulnerability-management |
| tags | - web-application - vulnerability-triage - owasp - dast - sast - burp-suite - zap - false-positive - risk-rating |
| version | '1.0' |
| author | mahipal |
| license | Apache-2.0 |
| nist_csf | - ID.RA-01 - ID.RA-02 - ID.IM-02 - ID.RA-06 |
Performing Web Application Vulnerability Triage
Overview
Web application vulnerability triage is the process of reviewing findings from DAST (Dynamic Application Security Testing) and SAST (Static Application Security Testing) tools to validate true positives, dismiss false positives, assign risk ratings using the OWASP Risk Rating Methodology, and prioritize remediation. Effective triage reduces alert fatigue and focuses development teams on the vulnerabilities that matter most.
When to Use
- When conducting security assessments that involve performing web application vulnerability triage
- When following incident response procedures for related security events
- When performing scheduled security testing or auditing activities
- When validating security controls through hands-on testing
Prerequisites
- DAST scan results (OWASP ZAP, Burp Suite, Acunetix)
- SAST scan results (Semgrep, SonarQube, Checkmarx, Snyk Code)
- Python 3.9+ with
requests,beautifulsoup4 - Burp Suite Professional or OWASP ZAP for manual validation
- DefectDojo or similar for finding management
OWASP Risk Rating Methodology
Risk Calculation
Risk = Likelihood x Impact
Likelihood Factors (0-9 scale)
| Factor Group | Factor | Description |
|---|---|---|
| Threat Agent | Skill Level | How technically skilled is the attacker? |
| Threat Agent | Motive | How motivated is the attacker? |
| Threat Agent | Opportunity | What resources/access are needed? |
| Threat Agent | Size | How large is the potential threat agent group? |
| Vulnerability | Ease of Discovery | How easy is it to find the vulnerability? |
| Vulnerability | Ease of Exploit | How easy is it to exploit? |
| Vulnerability | Awareness | How well known is the vulnerability? |
| Vulnerability | Intrusion Detection | How likely is exploitation to be detected? |
Impact Factors (0-9 scale)
| Factor Group | Factor | Description |
|---|---|---|
| Technical | Confidentiality | How much data could be disclosed? |
| Technical | Integrity | How much data could be corrupted? |
| Technical | Availability | How much service could be lost? |
| Technical | Accountability | Can actions be traced to attacker? |
| Business | Financial Damage | Revenue loss, regulatory fines |
| Business | Reputation Damage | Brand trust erosion |
| Business | Non-compliance | Regulatory violation exposure |
| Business | Privacy Violation | PII/PHI exposure volume |
Risk Matrix
| Low Impact (0-3) | Medium Impact (3-6) | High Impact (6-9) | |
|---|---|---|---|
| High Likelihood (6-9) | Medium | High | Critical |
| Medium Likelihood (3-6) | Low | Medium | High |
| Low Likelihood (0-3) | Note | Low | Medium |
Triage Process
Step 1: Categorize by OWASP Top 10
OWASP_TOP_10_2021 = {
"A01": "Broken Access Control",
"A02": "Cryptographic Failures",
"A03": "Injection",
"A04": "Insecure Design",
"A05": "Security Misconfiguration",
"A06": "Vulnerable and Outdated Components",
"A07": "Identification and Authentication Failures",
"A08": "Software and Data Integrity Failures",
"A09": "Security Logging and Monitoring Failures",
"A10": "Server-Side Request Forgery",
}
CWE_TO_OWASP = {
"CWE-79": "A03", # XSS -> Injection
"CWE-89": "A03", # SQL Injection
"CWE-78": "A03", # OS Command Injection
"CWE-352": "A01", # CSRF -> Access Control
"CWE-22": "A01", # Path Traversal
"CWE-200": "A02", # Information Exposure
"CWE-327": "A02", # Weak Cryptography
"CWE-287": "A07", # Authentication Issues
"CWE-918": "A10", # SSRF
"CWE-502": "A08", # Deserialization
"CWE-611": "A05", # XXE -> Misconfiguration
}
Step 2: Validate True vs False Positives
def triage_finding(finding):
"""Classify finding as true_positive, false_positive, or needs_review."""
fp_indicators = [
"Content-Security-Policy header not set", # Often informational
"X-Content-Type-Options header missing", # Low severity header
"Cookie without SameSite attribute", # Context dependent
]
for indicator in fp_indicators:
if indicator.lower() in finding.get("title", "").lower():
if finding.get("severity", "").lower() in ("info", "low"):
return "false_positive", "Common informational finding"
# Check for confirmed exploitation evidence
if finding.get("evidence") and finding.get("confidence", "").lower() == "certain":
return "true_positive", "Scanner confirmed exploitation"
# SAST findings need manual code review
if finding.get("source") == "sast":
if finding.get("cwe") in ["CWE-89", "CWE-78", "CWE-79"]:
return "needs_review", "Injection finding requires manual code review"
return "needs_review", "Requires manual validation"
Step 3: Risk Score Calculation
def calculate_risk_score(finding, app_context):
"""Calculate OWASP risk rating for a web application finding."""
# Likelihood factors
likelihood = {
"skill_level": 6 if finding["cwe"] in ["CWE-89", "CWE-79"] else 4,
"motive": 7, # Financial gain
"opportunity": 7 if finding.get("authenticated") == False else 4,
"size": 9 if finding.get("internet_facing") else 4,
"ease_of_discovery": 8 if finding.get("scanner_detected") else 5,
"ease_of_exploit": 7 if finding.get("exploit_available") else 4,
"awareness": 6,
"intrusion_detection": 3 if app_context.get("waf_enabled") else 8,
}
# Impact factors
impact = {
"confidentiality": 9 if "data_exposure" in finding.get("tags", []) else 5,
"integrity": 9 if finding["cwe"] in ["CWE-89", "CWE-78"] else 4,
"availability": 7 if "dos" in finding.get("tags", []) else 2,
"accountability": 3 if app_context.get("logging_enabled") else 7,
"financial": 7 if app_context.get("processes_payments") else 3,
"reputation": 6 if app_context.get("customer_facing") else 2,
"compliance": 8 if app_context.get("pci_scope") else 3,
"privacy": 9 if app_context.get("handles_pii") else 2,
}
likelihood_score = sum(likelihood.values()) / len(likelihood)
impact_score = sum(impact.values()) / len(impact)
risk_score = likelihood_score * impact_score
if risk_score >= 42:
risk_level = "Critical"
elif risk_score >= 24:
risk_level = "High"
elif risk_score >= 12:
risk_level = "Medium"
elif risk_score >= 3:
risk_level = "Low"
else:
risk_level = "Note"
return {
"likelihood_score": round(likelihood_score, 1),
"impact_score": round(impact_score, 1),
"risk_score": round(risk_score, 1),
"risk_level": risk_level,
}
Step 4: Generate Triage Report
# Process DAST/SAST results through triage pipeline
python3 scripts/process.py \
--input zap_results.json \
--format zap \
--app-context app_config.json \
--output triage_report.json
Manual Validation Techniques
SQL Injection Validation
# Test parameter with single quote
GET /search?q=test' HTTP/1.1
# Test with boolean-based payload
GET /search?q=test' AND 1=1-- HTTP/1.1
GET /search?q=test' AND 1=2-- HTTP/1.1
# Time-based verification
GET /search?q=test'; WAITFOR DELAY '0:0:5'-- HTTP/1.1
XSS Validation
# Reflected XSS test
GET /search?q=<script>alert(document.domain)</script> HTTP/1.1
# Check if output is encoded
GET /search?q="><img src=x onerror=alert(1)> HTTP/1.1
# DOM-based XSS
GET /page#<img src=x onerror=alert(1)> HTTP/1.1
References
How to use performing-web-application-vulnerability-triage on Cursor
AI-first code editor with Composer
Prerequisites
Before installing skills in Cursor, ensure your development environment meets these requirements:
- ›Cursor installed and configured on your development machine
- ›Node.js version 16.0+ with npm package manager (verify with
node --version) - ›Active project directory or workspace where you want to add performing-web-application-vulnerability-triage
Execute installation command
Execute the skills CLI command in your project's root directory to begin installation:
The skills CLI fetches performing-web-application-vulnerability-triage from GitHub repository mukul975/Anthropic-Cybersecurity-Skills and configures it for Cursor.
Select Cursor when prompted
The CLI will show a list of available agents. Use arrow keys to navigate and space to select Cursor:
Verify installation
Confirm successful installation by checking the skill directory location:
Reload or restart Cursor to activate performing-web-application-vulnerability-triage. Access the skill through slash commands (e.g., /performing-web-application-vulnerability-triage) or your agent's skill management interface.
Security & Verification Notice
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your development environment. Always verify the publisher's identity, review recent commits, and test in isolated environments before production deployment.
List & Monetize Your Skill
Submit your Claude Code skill and start earning
Use Cases▌
Task Automation & Efficiency
Automate repetitive workflows and reduce manual effort
Example
Generate reports, summarize documents, draft communications
Save 3-5 hours per week on routine tasks
Knowledge Enhancement
Learn new skills, understand complex topics, get expert guidance
Example
Explain concepts, provide examples, suggest learning resources
Accelerate learning and skill development by 2x
Quality Improvement
Enhance output quality through reviews, suggestions, and refinements
Example
Review drafts, suggest improvements, catch errors
Improve work quality by 30-40% with less effort
Implementation Guide▌
Prerequisites
- ›Claude Desktop or compatible AI client with skill support
- ›Clear understanding of task or problem to solve
- ›Willingness to iterate and refine outputs
Time Estimate
15-45 minutes depending on use case complexity
Installation Steps
- 1.Install skill using provided installation command
- 2.Test with simple use case relevant to your work
- 3.Evaluate output quality and relevance
- 4.Iterate on prompts to improve results
- 5.Integrate into regular workflow if valuable
Common Pitfalls
- ⚠Expecting perfect results without iteration
- ⚠Not providing enough context in prompts
- ⚠Using skill for tasks outside its intended scope
- ⚠Accepting outputs without review and validation
Best Practices▌
✓ Do
- +Start with clear, specific prompts
- +Provide relevant context and constraints
- +Review and refine all outputs before using
- +Iterate to improve output quality
- +Document successful prompt patterns
✗ Don't
- −Don't use without understanding skill limitations
- −Don't skip validation of outputs
- −Don't share sensitive information in prompts
- −Don't expect skill to replace human judgment
💡 Pro Tips
- ★Be specific about desired format and style
- ★Ask for multiple options to choose from
- ★Request explanations to understand reasoning
- ★Combine AI efficiency with human expertise
When to Use This▌
✓ Use When
Use when skill capabilities match your task, clear ROI on time saved, and you can validate outputs. Best for repetitive tasks, learning, and quality improvement.
✗ Avoid When
Avoid when task requires deep expertise you can't validate, involves sensitive decisions, or when learning process is more valuable than speed of completion.
Learning Path▌
- 1Familiarize yourself with skill capabilities and limitations
- 2Start with low-risk, non-critical tasks
- 3Progress to more complex and valuable use cases
- 4Build expertise through regular use and experimentation
Discussion
Product Hunt–style comments (not star reviews)- No comments yet — start the thread.
Ratings
4.7★★★★★60 reviews- ★★★★★Kofi Bhatia· Dec 28, 2024
performing-web-application-vulnerability-triage reduced setup friction for our internal harness; good balance of opinion and flexibility.
- ★★★★★Xiao Chen· Dec 28, 2024
I recommend performing-web-application-vulnerability-triage for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
- ★★★★★Nikhil Huang· Dec 20, 2024
We added performing-web-application-vulnerability-triage from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
- ★★★★★Aditi Ghosh· Dec 12, 2024
Useful defaults in performing-web-application-vulnerability-triage — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
- ★★★★★Pratham Ware· Dec 8, 2024
We added performing-web-application-vulnerability-triage from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
- ★★★★★Kofi Ramirez· Dec 8, 2024
Keeps context tight: performing-web-application-vulnerability-triage is the kind of skill you can hand to a new teammate without a long onboarding doc.
- ★★★★★Dhruvi Jain· Dec 4, 2024
I recommend performing-web-application-vulnerability-triage for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
- ★★★★★James Srinivasan· Nov 27, 2024
performing-web-application-vulnerability-triage is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.
- ★★★★★Oshnikdeep· Nov 23, 2024
Useful defaults in performing-web-application-vulnerability-triage — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
- ★★★★★Kofi Desai· Nov 23, 2024
We added performing-web-application-vulnerability-triage from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
showing 1-10 of 60