Security Context MCP Server

Overview Schema Related Servers Score Discussions

owasp.ts•19.5 KiB

import axios from "axios"; import * as cheerio from "cheerio"; import { DocumentSource, SecurityDocument } from "../types.js"; export class OWASPSource implements DocumentSource { name = "OWASP"; async fetchDocuments(): Promise<SecurityDocument[]> { const documents: SecurityDocument[] = []; try { // Fetch OWASP Top 10 2021 console.error("Fetching OWASP Top 10 2021..."); const top10Docs = await this.fetchTop10(); documents.push(...top10Docs); // Fetch popular cheat sheets console.error("Fetching OWASP Cheat Sheets..."); const cheatSheets = await this.fetchCheatSheets(); documents.push(...cheatSheets); // Add OWASP API Security Top 10 console.error("Adding OWASP API Security Top 10..."); const apiSecurityDocs = this.getAPISecurityTop10(); documents.push(...apiSecurityDocs); // Add OWASP ASVS console.error("Adding OWASP ASVS..."); const asvsDocs = this.getASVS(); documents.push(...asvsDocs); // Add OWASP Mobile Security console.error("Adding OWASP Mobile Security..."); const mobileDocs = this.getMobileSecurity(); documents.push(...mobileDocs); console.error(`Fetched ${documents.length} OWASP documents`); } catch (error) { console.error("Error fetching OWASP documents:", error); } return documents; } private async fetchTop10(): Promise<SecurityDocument[]> { const documents: SecurityDocument[] = []; const top10Categories = [ { id: "A01_2021", title: "A01:2021 – Broken Access Control", url: "https://owasp.org/Top10/A01_2021-Broken_Access_Control/", }, { id: "A02_2021", title: "A02:2021 – Cryptographic Failures", url: "https://owasp.org/Top10/A02_2021-Cryptographic_Failures/", }, { id: "A03_2021", title: "A03:2021 – Injection", url: "https://owasp.org/Top10/A03_2021-Injection/", }, { id: "A04_2021", title: "A04:2021 – Insecure Design", url: "https://owasp.org/Top10/A04_2021-Insecure_Design/", }, { id: "A05_2021", title: "A05:2021 – Security Misconfiguration", url: "https://owasp.org/Top10/A05_2021-Security_Misconfiguration/", }, { id: "A06_2021", title: "A06:2021 – Vulnerable and Outdated Components", url: "https://owasp.org/Top10/A06_2021-Vulnerable_and_Outdated_Components/", }, { id: "A07_2021", title: "A07:2021 – Identification and Authentication Failures", url: "https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/", }, { id: "A08_2021", title: "A08:2021 – Software and Data Integrity Failures", url: "https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures/", }, { id: "A09_2021", title: "A09:2021 – Security Logging and Monitoring Failures", url: "https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/", }, { id: "A10_2021", title: "A10:2021 – Server-Side Request Forgery (SSRF)", url: "https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/", }, ]; for (const category of top10Categories) { try { const response = await axios.get(category.url, { timeout: 10000, headers: { "User-Agent": "SecurityMCP/1.0", }, }); const $ = cheerio.load(response.data); // Extract main content const content = $("main, article, .content, #content") .first() .text() .trim() .replace(/\s+/g, " ") .substring(0, 5000); // Limit content size documents.push({ id: `owasp-top10-${category.id}`, source: "OWASP", title: category.title, url: category.url, content: content || "OWASP Top 10 vulnerability category", category: "OWASP Top 10", lastUpdated: new Date(), metadata: { year: 2021 }, }); // Small delay to be respectful await new Promise((resolve) => setTimeout(resolve, 500)); } catch (error) { console.error(`Error fetching ${category.title}:`, error); } } return documents; } private async fetchCheatSheets(): Promise<SecurityDocument[]> { const documents: SecurityDocument[] = []; const cheatSheets = [ { id: "sql-injection", title: "SQL Injection Prevention Cheat Sheet", url: "https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html", category: "Injection Prevention", }, { id: "xss-prevention", title: "Cross Site Scripting Prevention Cheat Sheet", url: "https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html", category: "XSS Prevention", }, { id: "authentication", title: "Authentication Cheat Sheet", url: "https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html", category: "Authentication", }, { id: "session-management", title: "Session Management Cheat Sheet", url: "https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html", category: "Session Management", }, { id: "access-control", title: "Authorization Cheat Sheet", url: "https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Cheat_Sheet.html", category: "Access Control", }, { id: "cryptographic-storage", title: "Cryptographic Storage Cheat Sheet", url: "https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html", category: "Cryptography", }, { id: "input-validation", title: "Input Validation Cheat Sheet", url: "https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html", category: "Input Validation", }, { id: "secure-coding", title: "Secure Product Design Cheat Sheet", url: "https://cheatsheetseries.owasp.org/cheatsheets/Secure_Product_Design_Cheat_Sheet.html", category: "Secure Design", }, { id: "password-storage", title: "Password Storage Cheat Sheet", url: "https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html", category: "Authentication", }, { id: "csrf-prevention", title: "Cross-Site Request Forgery Prevention Cheat Sheet", url: "https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html", category: "CSRF Prevention", }, { id: "secrets-management", title: "Secrets Management Cheat Sheet", url: "https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html", category: "Secrets Management", }, { id: "logging", title: "Logging Cheat Sheet", url: "https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html", category: "Security Logging", }, ]; for (const sheet of cheatSheets) { try { const response = await axios.get(sheet.url, { timeout: 10000, headers: { "User-Agent": "SecurityMCP/1.0", }, }); const $ = cheerio.load(response.data); const content = $("main, article, .content") .first() .text() .trim() .replace(/\s+/g, " ") .substring(0, 10000); documents.push({ id: `owasp-cheatsheet-${sheet.id}`, source: "OWASP", title: sheet.title, url: sheet.url, content: content || "OWASP Cheat Sheet", category: sheet.category, lastUpdated: new Date(), metadata: { type: "cheat-sheet" }, }); await new Promise((resolve) => setTimeout(resolve, 500)); } catch (error) { console.error(`Error fetching ${sheet.title}:`, error); } } return documents; } private getAPISecurityTop10(): SecurityDocument[] { return [ { id: "owasp-api-top10-overview", source: "OWASP", title: "OWASP API Security Top 10 2023", url: "https://owasp.org/API-Security/editions/2023/en/0x11-t10/", content: `OWASP API Security Top 10 2023 identifies the most critical API security risks. APIs are increasingly targeted as they expose application logic and sensitive data. The top 10 includes: API1:2023 Broken Object Level Authorization (BOLA) - APIs expose endpoints handling object identifiers, creating wide attack surface for access control issues. API2:2023 Broken Authentication - Authentication mechanisms implemented incorrectly allow attackers to compromise authentication tokens or exploit flaws. API3:2023 Broken Object Property Level Authorization - Lack of or improper authorization validation at object property level. API4:2023 Unrestricted Resource Consumption - APIs that don't limit resources can lead to DoS or increased costs. API5:2023 Broken Function Level Authorization - Complex access control policies lead to authorization flaws. API6:2023 Unrestricted Access to Sensitive Business Flows - Exposing business flows without considering damage from excessive automated use. API7:2023 Server Side Request Forgery (SSRF) - Fetching remote resources without validating user-supplied URI. API8:2023 Security Misconfiguration - Insecure default configs, incomplete configs, open cloud storage. API9:2023 Improper Inventory Management - APIs expose more endpoints than traditional apps, making proper documentation critical. API10:2023 Unsafe Consumption of APIs - Trusting data received from third-party APIs without proper validation.`, category: "API Security", lastUpdated: new Date(), metadata: { year: 2023, type: "API Top 10" }, }, { id: "owasp-api1-bola", source: "OWASP", title: "API1:2023 Broken Object Level Authorization", url: "https://owasp.org/API-Security/editions/2023/en/0xa1-broken-object-level-authorization/", content: `Broken Object Level Authorization (BOLA) is the most common and impactful API vulnerability. APIs expose endpoints that handle object identifiers, creating a wide attack surface. Attackers can manipulate object IDs in API requests to access unauthorized data. Attack scenario: An attacker replaces their user ID with another user's ID in an API call and gains access to that user's data. Prevention: Implement proper authorization checks for every function accessing data using client input. Use random, unpredictable values as GUIDs for records. Write tests to evaluate authorization mechanism. Never rely solely on IDs from client. Authorization logic should be centralized and reusable. Validate that the logged-in user has permission to perform the requested action on the record. Use audit logs to detect BOLA attempts. Consider implementing object-level access control using policy engines.`, category: "API Security", lastUpdated: new Date(), metadata: { year: 2023, type: "API Top 10", rank: 1 }, }, { id: "owasp-api2-auth", source: "OWASP", title: "API2:2023 Broken Authentication", url: "https://owasp.org/API-Security/editions/2023/en/0xa2-broken-authentication/", content: `Broken Authentication in APIs occurs when authentication mechanisms are implemented incorrectly. Common vulnerabilities include: Weak credentials - allowing weak passwords, using predictable tokens. Missing authentication - API endpoints accessible without authentication. Credential stuffing - no protection against automated attacks using leaked credentials. Brute force - no rate limiting on authentication endpoints. Insecure token handling - tokens exposed in URLs, not expired properly, or not invalidated on logout. JWT issues - accepting unsigned tokens, weak algorithms, sensitive data in payload. Prevention: Know all possible flows to authenticate to the API. Implement standard authentication protocols. Use rate limiting and lockout mechanisms. Implement multi-factor authentication. Don't expose session tokens in URLs. Use short-lived access tokens. Implement proper token validation and revocation. Use secure token storage. Generate session tokens with high entropy.`, category: "API Security", lastUpdated: new Date(), metadata: { year: 2023, type: "API Top 10", rank: 2 }, }, ]; } private getASVS(): SecurityDocument[] { return [ { id: "owasp-asvs-overview", source: "OWASP", title: "OWASP Application Security Verification Standard (ASVS) 4.0", url: "https://owasp.org/www-project-application-security-verification-standard/", content: `OWASP ASVS provides a basis for testing web application security controls and provides developers with a list of requirements for secure development. Three verification levels: Level 1 - First steps, automated, or whole of portfolio view. For all software. Level 2 - Most applications. For applications containing sensitive data requiring protection. Level 3 - High value transactions, medical, safety-critical. For most critical applications performing high value transactions. ASVS covers 14 categories: V1 Architecture, Design and Threat Modeling, V2 Authentication, V3 Session Management, V4 Access Control, V5 Validation, Sanitization and Encoding, V6 Stored Cryptography, V7 Error Handling and Logging, V8 Data Protection, V9 Communication Security, V10 Malicious Code, V11 Business Logic, V12 Files and Resources, V13 API and Web Service, V14 Configuration. Each category contains specific requirements with associated verification level.`, category: "Security Standards", lastUpdated: new Date(), metadata: { version: "4.0", type: "ASVS" }, }, { id: "owasp-asvs-auth", source: "OWASP", title: "OWASP ASVS V2: Authentication Requirements", url: "https://owasp.org/www-project-application-security-verification-standard/", content: `ASVS V2 Authentication Verification Requirements cover all aspects of authentication security. V2.1 Password Security Requirements: Verify passwords are at least 12 characters (L1), allow at least 64 characters (L1), allow all Unicode characters (L1), check against breached password lists (L2), provide password strength meter (L1). V2.2 General Authenticator Requirements: Verify anti-automation controls prevent credential stuffing (L1), implement MFA for sensitive actions (L2). V2.3 Authenticator Lifecycle: Verify secure credential recovery process (L1), secure initial authentication distribution (L2). V2.4 Credential Storage Requirements: Verify passwords stored using approved one-way key derivation function (L1), salt at least 32 bits unique per credential (L2), use PBKDF2, bcrypt, scrypt, or Argon2 (L2). V2.5 Credential Recovery: Verify recovery doesn't reveal current password (L1), use time-limited tokens (L1). V2.6 Look-up Secret Verifier: Verify look-up secrets are used only once (L2).`, category: "Security Standards", lastUpdated: new Date(), metadata: { version: "4.0", type: "ASVS", section: "V2" }, }, { id: "owasp-asvs-crypto", source: "OWASP", title: "OWASP ASVS V6: Stored Cryptography Requirements", url: "https://owasp.org/www-project-application-security-verification-standard/", content: `ASVS V6 Cryptography Verification Requirements ensure sensitive data is protected properly. V6.1 Data Classification: Verify all regulated financial and health data is encrypted at rest (L2), verify PII is encrypted at rest (L2). V6.2 Algorithms: Verify all cryptographic modules fail securely (L1), use only FIPS 140-2/3 validated algorithms (L3), use industry standard algorithms like AES-256, RSA-2048+, SHA-256+ (L1). V6.3 Random Values: Verify random values generated using CSPRNG (L2), avoid UUIDs and GUIDs for security purposes unless version 4 (L2). V6.4 Secret Management: Verify secrets not stored in code (L1), key management with secure key generation, storage, rotation (L2), keys stored in secure vault (L2), verify secrets can be rotated (L2). Deprecated algorithms include MD5, SHA-1, DES, 3DES for new systems. Use envelope encryption for data at rest. Implement proper key lifecycle management including creation, rotation, revocation, and destruction.`, category: "Security Standards", lastUpdated: new Date(), metadata: { version: "4.0", type: "ASVS", section: "V6" }, }, ]; } private getMobileSecurity(): SecurityDocument[] { return [ { id: "owasp-mobile-top10", source: "OWASP", title: "OWASP Mobile Top 10 2024", url: "https://owasp.org/www-project-mobile-top-10/", content: `OWASP Mobile Top 10 2024 identifies the most significant mobile application security risks. M1: Improper Credential Usage - Hardcoded credentials, insecure credential storage, improper credential transmission. M2: Inadequate Supply Chain Security - Insecure third-party libraries, malicious SDKs, insufficient code signing. M3: Insecure Authentication/Authorization - Weak authentication mechanisms, missing session management, broken authorization. M4: Insufficient Input/Output Validation - SQL injection, XSS, path traversal in mobile context. M5: Insecure Communication - Cleartext traffic, improper certificate validation, weak TLS. M6: Inadequate Privacy Controls - Excessive data collection, insecure data storage, improper consent. M7: Insufficient Binary Protections - Missing code obfuscation, debug symbols in release, no jailbreak detection. M8: Security Misconfiguration - Debug mode in production, insecure default settings, exposed content providers. M9: Insecure Data Storage - Storing sensitive data in plaintext, shared preferences exposure, clipboard vulnerabilities. M10: Insufficient Cryptography - Weak algorithms, hardcoded keys, improper key management.`, category: "Mobile Security", lastUpdated: new Date(), metadata: { year: 2024, type: "Mobile Top 10" }, }, { id: "owasp-masvs", source: "OWASP", title: "OWASP Mobile Application Security Verification Standard (MASVS)", url: "https://mas.owasp.org/MASVS/", content: `OWASP MASVS provides security requirements for mobile apps across iOS and Android platforms. Two verification levels: MASVS-L1 - Standard security for all mobile apps. MASVS-L2 - Defense-in-depth for apps handling sensitive data. Categories include: MASVS-STORAGE - Secure data storage on device, keychain/keystore usage, preventing data leakage. MASVS-CRYPTO - Proper use of cryptographic primitives, secure key management. MASVS-AUTH - Local authentication (biometrics, PIN), session management. MASVS-NETWORK - Secure network communication, certificate pinning, TLS verification. MASVS-PLATFORM - Platform security features, IPC security, WebView security. MASVS-CODE - Code quality, input validation, memory corruption prevention. MASVS-RESILIENCE - Reverse engineering protection, tampering detection, jailbreak/root detection. Use MASVS with MASTG (Mobile Application Security Testing Guide) for comprehensive testing. Requirements are platform-agnostic but implementations differ for iOS and Android.`, category: "Mobile Security", lastUpdated: new Date(), metadata: { type: "MASVS" }, }, ]; } }

Loading blob content...

Latest Blog Posts

Redis vs ioredis vs valkey-glide
By punkpeye on January 26, 2026.
benchmark
Redis
valkey
Quickstart: Publish an MCP Server to the MCP Registry
By punkpeye on January 24, 2026.
mcp
official reference mirror
Official MCP Registry Server.json Requirements
By punkpeye on January 24, 2026.
mcp
official reference mirror

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/abreed05/cybersecurity-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server

owasp.ts•19.5 KiB