🛡️ 测试与安全

csrf-protection-validator

具备对 Web 应用 CSRF 防护机制的深度检测能力,可识别同步令牌、双提交 Cookie、SameSite 属性及来源验证等策略的缺失或配置缺陷,并定位高风险接口,生成包含漏洞详情与修复建议的安全评估报告。

快捷安装

在终端运行此命令,即可一键安装该 Skill 到您的 Claude 中

npx skills add jeremylongshore/claude-code-plugins-plus-skills --skill "csrf-protection-validator"

Overview

This skill empowers Claude to analyze web applications for CSRF vulnerabilities. It assesses the effectiveness of implemented CSRF protection mechanisms, providing insights into potential weaknesses and recommendations for remediation.

How It Works

  1. Analyze Endpoints: The plugin examines application endpoints to identify those lacking CSRF protection.
  2. Assess Protection Mechanisms: It validates the implementation of CSRF protection mechanisms, including token validation, double-submit cookies, SameSite attributes, and origin validation.
  3. Generate Report: A detailed report is generated, highlighting vulnerable endpoints, potential attack scenarios, and recommended fixes.

When to Use This Skill

This skill activates when you need to:

  • Validate existing CSRF protection measures.
  • Identify CSRF vulnerabilities in a web application.
  • Assess the risk associated with unprotected endpoints.
  • Generate a report outlining CSRF vulnerabilities and recommended fixes.

Examples

Example 1: Identifying Unprotected API Endpoints

User request: “validate csrf”

The skill will:

  1. Analyze the application’s API endpoints.
  2. Identify endpoints lacking CSRF protection, such as those handling sensitive data modifications.
  3. Generate a report outlining vulnerable endpoints and potential attack vectors.

User request: “Check for csrf vulnerabilities in my application”

The skill will:

  1. Analyze the application’s cookie settings.
  2. Verify that SameSite attributes are properly configured to mitigate CSRF attacks.
  3. Report any cookies lacking the SameSite attribute or using an insecure setting.

Best Practices

  • Regular Validation: Regularly validate CSRF protection mechanisms as part of the development lifecycle.
  • Comprehensive Coverage: Ensure all state-changing operations are protected against CSRF attacks.
  • Secure Configuration: Use secure configurations for CSRF protection mechanisms, such as strong token generation and proper SameSite attribute settings.

Integration

This skill can be used in conjunction with other security plugins to provide a comprehensive security assessment of web applications. For example, it can be combined with a vulnerability scanner to identify other potential vulnerabilities in addition to CSRF weaknesses.

🔗 相关技巧

superpowers-workflow

遵循结构化流程处理开发任务,涵盖需求澄清、分步规划、测试优先的实现、代码审查与验证总结,适用于功能开发、调试、重构及自动化设计等场景,根据变更风险动态调整流程严格度。

webapp-testing

提供对本地 Web 应用的端到端测试能力,支持启动服务、自动化交互、截图诊断、控制台日志捕获及动态 DOM 分析,适用于验证前端功能与调试 UI 行为。

pr-creator

自动化创建符合规范的拉取请求,涵盖分支切换、模板识别与填充、预检验证及标准化提交,确保代码审查流程的合规性与完整性。

java-python-code-reviewer

提供针对 Java与 Python 代码的深度评审,聚焦正确性、复杂度分析与实现质量。支持算法题解审查,识别边界条件遗漏与性能瓶颈,推荐数据结构优化策略,并对比双语言实现差异,在保证逻辑严谨的同时提升代码可读性与执行效率。