dotnet-security-owasp

Installation
SKILL.md

dotnet-security-owasp

OWASP Top 10 (2021) security guidance for .NET applications. Each category includes the vulnerability description, .NET-specific risk, mitigation code examples, and common pitfalls. This skill is the canonical owner of deprecated security pattern warnings (CAS, APTCA, .NET Remoting, DCOM, BinaryFormatter).

Out of scope: Authentication/authorization implementation -- API-level auth patterns (Identity, OAuth/OIDC, JWT, passkeys, CORS) -- see [skill:dotnet-api-security]. Blazor auth UI (AuthorizeView, CascadingAuthenticationState) -- see [skill:dotnet-blazor-auth]. Cloud-specific security services (Azure Key Vault, AWS Secrets Manager) -- cloud epics. Cryptographic algorithm selection and key management -- see [skill:dotnet-cryptography]. Configuration binding and Options pattern -- see [skill:dotnet-csharp-configuration].

Cross-references: [skill:dotnet-secrets-management] for secrets handling, [skill:dotnet-cryptography] for cryptographic best practices, [skill:dotnet-csharp-coding-standards] for secure coding conventions.


A01: Broken Access Control

Vulnerability: Users act outside their intended permissions -- accessing other users' data, elevating privileges, or bypassing access checks.

Risk in .NET: Missing [Authorize] attributes on controllers/endpoints, insecure direct object references (IDOR) where user IDs are taken from route parameters without ownership validation, and CORS misconfiguration allowing unintended origins.

Mitigation

Installs
87
GitHub Stars
62
First Seen
Mar 7, 2026
dotnet-security-owasp — wshaddix/dotnet-skills